From 074dc8147ef8659c1390c6b7c3ff752e92c0ec7c Mon Sep 17 00:00:00 2001 From: Nidhi Pandey Date: Tue, 18 Jun 2024 09:53:47 +0530 Subject: [PATCH 1/5] test --- test.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test.txt diff --git a/test.txt b/test.txt new file mode 100644 index 0000000..e69de29 From c3955dfedee7facf813cb9c9a7ce46c47b47a30e Mon Sep 17 00:00:00 2001 From: Nidhi Pandey Date: Tue, 18 Jun 2024 10:16:34 +0530 Subject: [PATCH 2/5] CFT Files --- aws-vmseries-with-gwlbe-CFT/README.md | 323 ++++ .../aws-panw-gwlb-cfn-combined.yaml | 1152 ++++++++++++++ .../aws-panw-gwlb-cfn-root.yaml | 391 +++++ .../aws-panw-gwlb-cfn-security.yaml | 706 +++++++++ .../aws-panw-gwlb-cfn-vmseries.yaml | 451 ++++++ ...ws-panw-vmseries-gwlb-team-iam-policy.json | 76 + .../s3assets/authcodes | 1 + .../s3assets/bootstrap.xml | 1371 +++++++++++++++++ .../s3assets/init-cfg.txt | 20 + .../sample/samplereadme1.md | 81 + aws-vmseries-with-gwlbe-CFT/samplereadme.md | 324 ++++ aws-vmseries-with-gwlbe-CFT/setup-cft.sh | 27 + 12 files changed, 4923 insertions(+) create mode 100644 aws-vmseries-with-gwlbe-CFT/README.md create mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml create mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml create mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml create mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml create mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json create mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/authcodes create mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml create mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt create mode 100644 aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md create mode 100644 aws-vmseries-with-gwlbe-CFT/samplereadme.md create mode 100644 aws-vmseries-with-gwlbe-CFT/setup-cft.sh diff --git a/aws-vmseries-with-gwlbe-CFT/README.md b/aws-vmseries-with-gwlbe-CFT/README.md new file mode 100644 index 0000000..ca25115 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/README.md @@ -0,0 +1,323 @@ +# aws-panw-vmseries-cft-deployment + +This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. + +The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. + +**Duration**: It will take approximately 2 hours to successfully complete this lab. + +**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. + +## Outline + +
+

Full Starting Diagram with Route Tables

+
+ +- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. + + +You can set up this environment in the following way: + +### Rapid S3 Setup + +**Note:** You will need access to AWS CloudShell for this mode of setup. + +1. Login to the AWS Console and change to the region of your choosing. Supported regions are: + - eu-north-1 + - eu-west-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 +2. Open AWS CloudShell, wait for the CLI prompt to show up. +3. Clone the github repository. +``` +git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources +``` +4. Run the setup command. +``` +./setup-cft.sh +``` + +Once the script completes execution, you should be able to see the output as shown below. +``` +Setup completed successfully. Please proceed to CFT deployment. +Please use the below Template URL for CFT deployment. +TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml +``` +5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated + + +## Please go through the following cases in order to run the Use Cases + + +## Use Case 1: Inspect outbound traffic using VM Series + +In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: +## Task + +**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: + + 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to + the correct resource + + 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the + following: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in filter by VPC field the "Beer Store Data VPC" + 4. Next, go to route tables and select the "Beer Store Data Private route table" + 5. In the route table click on routes (see below) +
+

+
+ 6. Click Edit routes and do the following changes: + + 1. Remove the route 10.0.0.0/8 -> Target TGW + 2. Change the route 0.0.0.0/0 -> TGW + 3. Click Save + +7. Once you made the changes your route should look like the example below +
+

+
+ +**Step 2**- Now login to the firewall. Go through the following steps: + + - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. + 1. On the AWS Console go to EC2 + 2. On the EC2 Dashboard click on Instances + 3. The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall) + + + - Open a browser window and navigate to https://("Security VM-Series-EIP") + - Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 +
+ +**Step 3**- Now we will do the following steps in order to run the attack: +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + - To Login into the Beer Store Data Database Server: + - Use the Session Manager to log into the Server + - The name of the VM is "Beer Store Data Database" + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ +
+
+ +This is the end of first Use Case. +
+ +## Use Case 2: Inspect east-west traffic using VM-Series + +In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: +## Task + +1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** +2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: + +**Step 1**: To make changes in the AWS routing we will do the following: + 1. Login into the AWS console + 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables +
+

+
+ + 3. Select the Spoke TGW Route Table + 4. In the Route table click on Propagations +
+

+
+ + 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. + 6. Your TGW Route table should looks like the following after the deletion +
+

+
+ +**Step 2**: To find the logs inside the "Firewall: Monitor": + 1. Log into the Palo Alto Networks VM-Series Firewall + 2. Go to Monitor -> Traffic +
+

+ +
+ +Note: The attack is being automatically generated. + + 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) +
+

+
+ +**Step 3**: + 1. In the Monitor logs have a look at the column "TO PORT". +
+

+
+ + 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** + + 3. You should be able to see the following Monitor Logs inside the Firewall +

SSH Logs

+
+ +This is the end of second Use Case. +
+ +## Use Case 3: Inspect inbound traffic using VM-Series + +In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: + +## Task + +1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. + +2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend Public route table + 5. In the route table click on Routes (see below) + +

+ + vi. Click Edit routes and do the following changes: + - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint + - Click Save + + + vii. Once you made the changes your routle should looks like the example below +
+

+
+ +3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step +

Beer Store

+ In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
+

Logs

+ In case you still don't see any traffic logs, check the Internet Edge route table or do the following: + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table + 5. In the route table click on Routes (see below) +
+

+
+ 6. Click "Edit routes" and do the following change: + - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint + - Click Save +

+ 7. Once you made the changes your routle should looks like the example below +
+

+
+ +4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. +

alert

+ +5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: + + 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane +

+ + 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open +

+ + 3. On the new window click on "Actions" tab +

+ + 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. +

+ + 5. Change the "Vulnerability Protection" from "alert" to "strict". +

+ + 6. Click "OK", and the window will close automatically. + + 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. +

+ + 8. A new window will open. Here you will have to click on "Commit" button +

+ + 9. Wait for "Status Complete" and "Result Successful" and close the Window +

+ +6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: +

+
+
+ +- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. +
+
+ +This is the end of third Use Case. +
+ +## Summary +We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. + +## Cleanup Steps +Once you have completed the lab successfully, follow the following steps for the cleanup: + +Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: + + 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed +![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) + 2. Click on **Delete** +![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) +**Note**: it will take approximately 10-15 minutes for the stack to get deleted. + 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option +![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) + + + + + +In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps + +**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack + +1. Select the test-CombinedStack +![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) +2. Click on **Delete** +![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) +3. Once the test-CombinedStack is deleted, Select test-SecurityStack +![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) +4. Click on **Delete** +![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) +5. Finally select the test-stack +![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) +6. Click on **Delete** +![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) +7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** +![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) +![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) + + + + diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml new file mode 100644 index 0000000..7a4226e --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml @@ -0,0 +1,1152 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Simulated VPC with public facing web frontend on EC2. Intended for use with demo scenario with VM-Series Deployment with AWS Gateway Load Balancer (GWLB). + +# ====================================================================================================================== +# Parameters +# ====================================================================================================================== + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + FrontendNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Beer Store Frontend + + DataNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Beer Store Data + + AttackerNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Sneaky Suds + +# Amazon Linux AMI for simulated workload EC2 + LatestAmiId : + Type : 'AWS::SSM::Parameter::Value' + Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Frontend VPC CIDR IP Range + FrontendVPCCIDR: + Description: >- + CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) + Type: String + Default: 10.1.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC Subnets + FrontendVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Private Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for Public Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetGwlbeCIDRAZ1: + Description: >- + CIDR for GWLB Endpoint Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.3.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) +# DATA +# Data VPC CIDR IP Range + DataVPCCIDR: + Description: >- + CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) + Type: String + Default: 10.2.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Data VPC Subnets + DataVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Data VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + DataVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) +# ATTACKER +# Attacker VPC CIDR IP Range + AttackerVPCCIDR: + Description: >- + CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) + Type: String + Default: 192.168.10.0/23 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Attacker VPC Subnets + AttackerVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.10.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + AttackerVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.11.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Frontend Webserver VPC Parameters" + Parameters: + - FrontendVPCCIDR + - FrontendVPCSubnetPrivateCIDRAZ1 + - FrontendVPCSubnetPublicCIDRAZ1 + - FrontendVPCSubnetGwlbeCIDRAZ1 + - FrontendNamePrefix + - DataVPCCIDR + - DataVPCSubnetPrivateCIDRAZ1 + - DataVPCSubnetPublicCIDRAZ1 + - DataNamePrefix + - AttackerVPCCIDR + - AttackerVPCSubnetPrivateCIDRAZ1 + - AttackerVPCSubnetPublicCIDRAZ1 + - AttackerNamePrefix + - + Label: + default: "Other Parameters" + Parameters: + - RemoteManagementCIDR + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendVPC: + Type: AWS::EC2::VPC + Properties: + EnableDnsSupport: true + EnableDnsHostnames: true + CidrBlock: !Ref FrontendVPCCIDR + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} VPC" + + FrontendIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} IGW" + + FrontendIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref FrontendIGW + VpcId: !Ref FrontendVPC + + FrontendSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Private" + + FrontendSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + FrontendSubnetGwlbeAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" + +# ---------------------------------------------------------------------------------------------------------------------- +# TGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + + FrontendTgwAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + TransitGatewayId: !ImportValue TgwId + VpcId: !Ref FrontendVPC + SubnetIds: [!Ref FrontendSubnetPrivateAZ1] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} VPC Attachment" + + FrontendTGWAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + + FrontendTGWAttachmentPropagationToSecurity: + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId + + FrontendTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Private" + + FrontendPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendPrivateRouteTable + SubnetId: !Ref FrontendSubnetPrivateAZ1 + + FrontendPrivateClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref FrontendPrivateRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: FrontendTgwAttachment + + FrontendPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + FrontendPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + SubnetId: !Ref FrontendSubnetPublicAZ1 + + FrontendPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: FrontendIGWAttachment + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref FrontendIGW + + FrontendPublicClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: FrontendTgwAttachment + + FrontendGwlbEndpointRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" + + FrontendGwlbEndpointRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendGwlbEndpointRouteTable + SubnetId: !Ref FrontendSubnetGwlbeAZ1 + + FrontendGwlbEndpointDefaultRoute: + Type: AWS::EC2::Route + DependsOn: FrontendIGWAttachment + Properties: + RouteTableId: !Ref FrontendGwlbEndpointRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref FrontendIGW + + FrontendIgwEdgeRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} IGW Edge" + + FrontendIgwEdgeRouteTableAssociationAZ1: + Type: AWS::EC2::GatewayRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendIgwEdgeRouteTable + GatewayId: !Ref FrontendIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer Endpoint +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendGwlbeAz1: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !ImportValue GWLBServiceId + VpcEndpointType: GatewayLoadBalancer + SubnetIds: [ !Ref FrontendSubnetGwlbeAZ1 ] + +# ---------------------------------------------------------------------------------------------------------------------- +# Frontend EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendEC2EIP: + Type: AWS::EC2::EIP + DependsOn: FrontendIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref FrontendEC2Instance + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Webserver EIP" + + FrontendEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${FrontendNamePrefix} Public" + GroupDescription: Security group for FrontendEC2Instance + VpcId: !Ref FrontendVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 10.0.0.0/8 + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + + FrontendEC2Instance: + Type: AWS::EC2::Instance + DependsOn: FrontendIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref FrontendSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 10.1.2.223 + SubnetId: !Ref FrontendSubnetPublicAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref FrontendEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Webserver" + UserData: + Fn::Base64: | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + # Pull and run your Docker container + sudo docker pull migara/vuln-app + sudo docker run -d -p 80:8080 migara/vuln-app + +# ---------------------------------------------------------------------------------------------------------------------- +# Frontend VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + # SSM VPC Endpoint + FrontendSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + FrontendSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + FrontendEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + # SSM Security Group + + FrontendSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${FrontendNamePrefix} SSM Endpoint" + GroupDescription: Enable SSM traffic to endpoint + VpcId: !Ref FrontendVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref FrontendVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} SSM Endpoint" + + # SSM Role for EC2 instances + FrontendSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} SSM" + + # EC2 Instance Profile + FrontendSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref FrontendSsmInstanceRole + +######################################################################################################################### +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + DataVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref DataVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} VPC" + + DataIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} IGW" + + DataIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref DataIGW + VpcId: !Ref DataVPC + + DataSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref DataVPC + CidrBlock: !Ref DataVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Private AZ1" + + DataSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref DataVPC + CidrBlock: !Ref DataVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Public AZ1" + + +# ---------------------------------------------------------------------------------------------------------------------- +# TGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + DataTgwAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + TransitGatewayId: !ImportValue TgwId + VpcId: !Ref DataVPC + SubnetIds: [!Ref DataSubnetPrivateAZ1] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} VPC Attachment" + + DataTGWAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + + DataTGWAttachmentPropagationToSecurity: + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId + + DataTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + +# ---------------------------------------------------------------------------------------------------------------------- +# EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + DataEIPAZ1: + Type: AWS::EC2::EIP + DependsOn: DataIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref DataEC2Instance + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Beer Store Data EIP" + + # DataNATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref DataSubnetPublicAZ1 + # AllocationId: !GetAtt DataNATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${DataNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + DataPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref DataVPC + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Private" + + DataPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref DataPrivateRouteTable + SubnetId: !Ref DataSubnetPrivateAZ1 + + DataPrivateDefaultRoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref DataPrivateRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref DataIGW + + DataPrivateClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref DataPrivateRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: DataTgwAttachment + + DataPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref DataVPC + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Public" + + DataPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref DataPublicRouteTable + SubnetId: !Ref DataSubnetPublicAZ1 + + DataPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: DataIGWAttachment + Properties: + RouteTableId: !Ref DataPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref DataIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Data EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + DataEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${DataNamePrefix} Database" + GroupDescription: Security group for Private DB + VpcId: !Ref DataVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 10.0.0.0/8 + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 10.1.0.0/16 + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 10.0.0.0/8 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Database" + + DataEC2Instance: + Type: AWS::EC2::Instance + DependsOn: DataIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref DataSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 10.2.1.100 # Enter the desired private IP address + SubnetId: !Ref DataSubnetPrivateAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref DataEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Database" + UserData: + Fn::Base64: | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + # Pull and run your Docker container + sudo docker pull migara/beer-vault + sudo docker run -d -p 2222:22 migara/beer-vault +# ---------------------------------------------------------------------------------------------------------------------- +# Data VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + + # SSM VPC Endpoint + DataSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + DataSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + DataEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + # Security Group + DataSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${DataNamePrefix}-ssmendpoint-sg" + VpcId: !Ref DataVPC + GroupDescription: Enable SSM traffic to endpoint + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref DataVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} SSM" + + # SSM Role for EC2 instances + DataSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} SSM" + + # EC2 Instance Profile + DataSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref DataSsmInstanceRole + +######################################################################################################################### + +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref AttackerVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} VPC" + + AttackerIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} IGW" + + AttackerIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref AttackerIGW + VpcId: !Ref AttackerVPC + + AttackerSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref AttackerVPC + CidrBlock: !Ref AttackerVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Private AZ1" + + AttackerSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref AttackerVPC + CidrBlock: !Ref AttackerVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Public AZ1" + + +# ---------------------------------------------------------------------------------------------------------------------- +# NAT Gateways with EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + # AttackerNATGWEIPAZ1: + # Type: AWS::EC2::EIP + # DependsOn: AttackerIGWAttachment + # Properties: + # Domain: vpc + # Tags: + # - Key: Name + # Value: !Sub "${AttackerNamePrefix} EIP" + + AttackerEC2EIP: + Type: AWS::EC2::EIP + DependsOn: AttackerIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref AttackerEC2Instance + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} EIP" + + # AttackerNATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref AttackerSubnetPublicAZ1 + # AllocationId: !GetAtt AttackerNATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${AttackerNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref AttackerVPC + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Private" + + AttackerPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref AttackerPrivateRouteTable + SubnetId: !Ref AttackerSubnetPrivateAZ1 + + AttackerPrivateDefaultRoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref AttackerPrivateRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref AttackerIGW + + AttackerPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref AttackerVPC + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Public" + + AttackerPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref AttackerPublicRouteTable + SubnetId: !Ref AttackerSubnetPublicAZ1 + + AttackerPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: AttackerIGWAttachment + Properties: + RouteTableId: !Ref AttackerPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref AttackerIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Attacker EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${AttackerNamePrefix}-SG" + GroupDescription: Security group for Attacker + VpcId: !Ref AttackerVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 0.0.0.0/0 + - IpProtocol: -1 + FromPort: -1 + ToPort: -1 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SG" + + AttackerEC2Instance: + Type: AWS::EC2::Instance + DependsOn: AttackerIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref AttackerSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 192.168.10.10 # Enter the desired private IP address + SubnetId: !Ref AttackerSubnetPrivateAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref AttackerEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Instance" + UserData: + Fn::Base64: !Sub + - | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + EIP_PUBLIC_IP=${EIP_PUBLIC_IP} + + # Pull and run your Docker container + sudo docker pull migara/att-svr + docker container run -itd --rm --name att-svr -p 8888:8888 -p 1389:1389 -e HOST=${EIP_PUBLIC_IP} -e BEER_STORE_EIP=${FrontendEC2EIP} migara/att-svr + - + # FrontendEIP: + # 'Fn::ImportValue': 'FrontendEIP' + EIP_PUBLIC_IP: "$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)" + + + +# ---------------------------------------------------------------------------------------------------------------------- +# Attacker VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + + # SSM VPC Endpoint + AttackerSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + AttackerSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + AttackerEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + # Security Group + AttackerSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${AttackerNamePrefix}-ssmendpoint-sg" + VpcId: !Ref AttackerVPC + GroupDescription: Enable SSM traffic to endpoint + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref AttackerVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SSM" + + # SSM Role for EC2 instances + AttackerSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SSM" + + # EC2 Instance Profile + AttackerSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref AttackerSsmInstanceRole + + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + FrontendGwlbeAz1: + Description: "The ID of the FrontendGwlbeAz1 VPCEndpoint" + Value: !Ref FrontendGwlbeAz1 + Export: + Name: "FrontendGwlbeAz1" + + FrontendEIP: + Description: EIP of the Beerstore + Value: !GetAtt FrontendEC2EIP.PublicIp + Export: + Name: FrontendEIP + + AttackerEC2InstancePublicIP: + Value: !GetAtt AttackerEC2Instance.PublicIp + Description: Public IP address of AttackerEC2Instance diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml new file mode 100644 index 0000000..b04484c --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml @@ -0,0 +1,391 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Root Stack for Jam Challenge with VM-Series and AWS Gateway Load Balancer (GWLB)) + +# ====================================================================================================================== +# Parameters / Mappings +# ====================================================================================================================== + + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: shiva-test-key-pair + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Security VPC CIDR IP Range + SecurityVPCCIDR: + Description: >- + CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) + Type: String + Default: 10.0.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC CIDR IP Range + FrontendVPCCIDR: + Description: >- + CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) + Type: String + Default: 10.1.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC Subnets + FrontendVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetGwlbeCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.3.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + +# Data VPC CIDR IP Range + DataVPCCIDR: + Description: >- + CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) + Type: String + Default: 10.2.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Data VPC Subnets + DataVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Data VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + DataVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + # AZ1 Subnets CIDRs + + SecurityVPCNATGWSubnetCIDRAZ1: + Description: >- + CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.0.0.0/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCGWLBESubnetCIDRAZ1: + Description: >- + CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) + Type: String + Default: 10.0.0.16/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCTGWSubnetCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.32/28) + Type: String + Default: 10.0.0.32/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + Description: >- + CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) + Type: String + Default: 10.0.0.48/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: aws-jam-challenge-resources + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + + SecurityCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-security.yaml + + VmSeriesCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-vmseries.yaml + + FrontendCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-combined.yaml + + DataNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources in Data VPC + ConstraintDescription: 'String for naming.' + Default: Beer Store Data + + FrontendNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources in Frontend VPC + ConstraintDescription: 'String for naming.' + Default: Beer Store Frontend + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Naming Prefix + AttackerNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Sneaky Suds + +# Data VPC CIDR IP Range + AttackerVPCCIDR: + Description: >- + CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) + Type: String + Default: 192.168.10.0/23 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Attacker VPC Subnets + AttackerVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.10.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + AttackerVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.11.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Shared Parameters" + Parameters: + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + - + Label: + default: "Security VPC Parameters" + Parameters: + - SecurityVPCCIDR + - SecurityVPCNATGWSubnetCIDRAZ1 + - SecurityVPCGWLBESubnetCIDRAZ1 + - SecurityVPCTGWSubnetCIDRAZ1 + - SecurityVPCVMSeriesDataSubnetCIDRAZ1 + - RemoteManagementCIDR + - VMSeriesInstanceType + - SecurityCftTemplateName + - SecurityNamePrefix + - + Label: + default: "Combined VPC Parameters" + Parameters: + - FrontendVPCCIDR + - FrontendVPCSubnetPrivateCIDRAZ1 + - FrontendVPCSubnetPublicCIDRAZ1 + - FrontendVPCSubnetGwlbeCIDRAZ1 + - FrontendCftTemplateName + - FrontendNamePrefix + - DataVPCCIDR + - DataVPCSubnetPrivateCIDRAZ1 + - DataVPCSubnetPublicCIDRAZ1 + - DataCftTemplateName + - DataNamePrefix + - AttackerVPCCIDR + - AttackerVPCSubnetPrivateCIDRAZ1 + - AttackerVPCSubnetPublicCIDRAZ1 + - AttackerCftTemplateName + - AttackerNamePrefix + + ParameterLabels: + SecurityVPCCIDR: + default: "IP CIDR for the Security VPC" + SecurityVPCNATGWSubnetCIDRAZ1: + default: "IP CIDR for NAT GW Subnet in AZ1" + SecurityVPCGWLBESubnetCIDRAZ1: + default: "IP CIDR for GWLB Endpoint in AZ1" + SecurityVPCTGWSubnetCIDRAZ1: + default: "IP CIDR for TGW Attachment in AZ1" + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + default: "IP CIDR for VM-Series Data Plane Interface in AZ1" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + FrontendVPCCIDR: + default: "IP CIDR for the Frontend VPC" + FrontendVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Private Subnet in AZ1" + FrontendVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Public Subnet in AZ1" + FrontendVPCSubnetGwlbeCIDRAZ1: + default: "IP CIDR for GWLB Endpoint Subnet in AZ1" + DataVPCCIDR: + default: "IP CIDR for the Data VPC" + DataVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Data Private Subnet in AZ1" + DataVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Data Public Subnet in AZ1" + SecurityCftTemplateName: + default: "Name of CFN template for Security VPC in S3" + FrontendCftTemplateName: + default: "Name of CFN template for Frontend VPC in S3" + FrontendNamePrefix: + default: "Prefix to be used in naming resrouces in Data / DB VPC" + DataCftTemplateName: + default: "Name of CFN template for Data VPC in S3" + DataNamePrefix: + default: "Prefix to be used in naming resrouces in Data / DB VPC" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + AttackerNamePrefix: + default: "Prefix to be used in naming resrouces in Attacker VPC" + AttackerVPCCIDR: + default: "IP CIDR for the Attacker VPC" + AttackerVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Attacker Private Subnet in AZ1" + AttackerVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Attacker Public Subnet in AZ1" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + + SecurityStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${SecurityCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + SecurityVPCCIDR: !Ref SecurityVPCCIDR + SecurityVPCNATGWSubnetCIDRAZ1: !Ref SecurityVPCNATGWSubnetCIDRAZ1 + SecurityVPCGWLBESubnetCIDRAZ1: !Ref SecurityVPCGWLBESubnetCIDRAZ1 + SecurityVPCTGWSubnetCIDRAZ1: !Ref SecurityVPCTGWSubnetCIDRAZ1 + SecurityVPCVMSeriesDataSubnetCIDRAZ1: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + SourceS3BucketName: !Ref SourceS3BucketName + SourceS3BucketPath: !Ref SourceS3BucketPath + SecurityNamePrefix: !Ref SecurityNamePrefix + + VmSeriesStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + DependsOn: + - SecurityStack + - CombinedStack + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${VmSeriesCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + SourceS3BucketName: !Ref SourceS3BucketName + SourceS3BucketPath: !Ref SourceS3BucketPath + SecurityNamePrefix: !Ref SecurityNamePrefix + + CombinedStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + DependsOn: + - SecurityStack + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${FrontendCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + FrontendVPCCIDR: !Ref FrontendVPCCIDR + FrontendVPCSubnetPrivateCIDRAZ1: !Ref FrontendVPCSubnetPrivateCIDRAZ1 + FrontendVPCSubnetPublicCIDRAZ1: !Ref FrontendVPCSubnetPublicCIDRAZ1 + FrontendVPCSubnetGwlbeCIDRAZ1: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 + FrontendNamePrefix: !Ref FrontendNamePrefix + DataVPCCIDR: !Ref DataVPCCIDR # Before data stack + DataVPCSubnetPrivateCIDRAZ1: !Ref DataVPCSubnetPrivateCIDRAZ1 # Before data stack + DataVPCSubnetPublicCIDRAZ1: !Ref DataVPCSubnetPublicCIDRAZ1 # Before data stack + DataNamePrefix: !Ref DataNamePrefix # Before data stack + AttackerVPCCIDR: !Ref AttackerVPCCIDR # Before attacker stack + AttackerVPCSubnetPrivateCIDRAZ1: !Ref AttackerVPCSubnetPrivateCIDRAZ1 # Before attacker stack + AttackerVPCSubnetPublicCIDRAZ1: !Ref AttackerVPCSubnetPublicCIDRAZ1 # Before attacker stack + AttackerNamePrefix: !Ref AttackerNamePrefix # Before attacker stack + + + + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml new file mode 100644 index 0000000..8a8454b --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml @@ -0,0 +1,706 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Shared Infrastructure and Security VPC with Gateway Load Balancer. VM-Series resources moved to separate stack due to circular dependency with bootstrap using GWLB endpoints from spokes + +# ====================================================================================================================== +# Parameters / Maapings +# ====================================================================================================================== + +# Updated to 11.0.2-h1 Custom AMIs +Mappings: + PANFWRegionMap: + eu-north-1: + AMI: ami-04527e8b09f7eb406 + eu-west-1: + AMI: ami-0a44de9db9dd95a6c + us-east-1: + AMI: ami-06899917ae226f293 + us-east-2: + AMI: ami-0fd909759c03f961d + us-west-1: + AMI: ami-09dd60214faaafc71 + us-west-2: + AMI: ami-04d4a07840a04301c + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Security VPC CIDR IP Range + SecurityVPCCIDR: + Description: >- + CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) + Type: String + Default: 10.0.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + + # AZ1 Subnets CIDRs + + SecurityVPCNATGWSubnetCIDRAZ1: + Description: >- + CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.0.0.0/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCGWLBESubnetCIDRAZ1: + Description: >- + CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) + Type: String + Default: 10.0.0.16/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCTGWSubnetCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.32/28) + Type: String + Default: 10.0.0.32/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + Description: >- + CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) + Type: String + Default: 10.0.0.48/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: __source_s3_bucket_name__ + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Security VPC" + Parameters: + - SecurityVPCCIDR + - SecurityVPCNATGWSubnetCIDRAZ1 + - SecurityVPCGWLBESubnetCIDRAZ1 + - SecurityVPCTGWSubnetCIDRAZ1 + - SecurityVPCVMSeriesDataSubnetCIDRAZ1 + - SecurityNamePrefix + + - + Label: + default: "VM-Series Deployment" + Parameters: + - VMSeriesAMI + - VMSeriesInstanceType + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + + - + Label: + default: "Other Parameters" + Parameters: + - RemoteManagementCIDR + + ParameterLabels: + SecurityVPCCIDR: + default: "IP CIDR for the Security VPC" + SecurityVPCNATGWSubnetCIDRAZ1: + default: "IP CIDR for NAT GW Subnet in AZ1" + SecurityVPCGWLBESubnetCIDRAZ1: + default: "IP CIDR for GWLB Endpoint in AZ1" + SecurityVPCTGWSubnetCIDRAZ1: + default: "IP CIDR for TGW Attachment in AZ1" + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + default: "IP CIDR for VM-Series Data Plane Interface in AZ1" + VMSeriesAMI: + default: "AMI ID of VM-Series" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Transit Gateway and Attachment to Security VPC +# ---------------------------------------------------------------------------------------------------------------------- + +## TODO add defaults associations for spokes (circular dependency, needs lambda) + TransitGateway: + Type: AWS::EC2::TransitGateway + Properties: + Description: Transit Gateway for VPC connectivity + DefaultRouteTableAssociation: disable + DefaultRouteTablePropagation: disable + Tags: + - Key: Name + Value: Transit Gateway + + TGWSpokeRouteTable: + Type: AWS::EC2::TransitGatewayRouteTable + Properties: + Tags: + - Key: Name + Value: Spoke TGW Route Table + TransitGatewayId: !Ref TransitGateway + + TGWSecurityRouteTable: + Type: AWS::EC2::TransitGatewayRouteTable + Properties: + Tags: + - Key: Name + Value: Security TGW Route Table + TransitGatewayId: !Ref TransitGateway + + TGWSecurityAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + VpcId: !Ref SecurityVPC + SubnetIds: [!Ref TGWSubnetAZ1] + TransitGatewayId: !Ref TransitGateway + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VPC Attachment" + + TGWSecurityAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref TGWSecurityAttachment + TransitGatewayRouteTableId: !Ref TGWSecurityRouteTable + + TGWSpokeRouteTableDefaultRoute: + Type: AWS::EC2::TransitGatewayRoute + Properties: + DestinationCidrBlock: 0.0.0.0/0 + TransitGatewayAttachmentId: !Ref TGWSecurityAttachment + TransitGatewayRouteTableId: !Ref TGWSpokeRouteTable + + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC, IGW, and IGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + SecurityVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref SecurityVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VPC" + + SecurityIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} IGW" + + SecurityIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref SecurityIGW + VpcId: !Ref SecurityVPC + + +#----------------------------------------------------------------------------------------------------------------------- +# Subnets +#----------------------------------------------------------------------------------------------------------------------- + + +#Security + NATGWSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCNATGWSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Public" + + TGWSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCTGWSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} TGW Attach" + + GWLBESubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCGWLBESubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" + + VMSeriesDataSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Firewall Data" + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Tables - SecurityVPC - GWLBE +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBERouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" + + # GWLBEDefaultRouteAZ1: + # Type: AWS::EC2::Route + # Properties: + # RouteTableId: !Ref GWLBERouteTableAZ1 + # DestinationCidrBlock: 0.0.0.0/0 + # NatGatewayId: !Ref SecurityIGW + + GWLBERouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBERouteTableAZ1 + SubnetId: !Ref GWLBESubnetAZ1 + + GWLBEClassARouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref GWLBERouteTableAZ1 + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !Ref TransitGateway + DependsOn: TGWSecurityAttachment + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Tables - SecurityVPC - Nat Gateway +# ---------------------------------------------------------------------------------------------------------------------- + + NATGWRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} Public" + + NATGWDefaultRouteAZ1: + Type: AWS::EC2::Route + DependsOn: SecurityIGWAttachment + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref SecurityIGW + + NATGWClassARouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + DestinationCidrBlock: 10.0.0.0/8 + VpcEndpointId: !Ref GWLBEAZ1 + + NATGWRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + SubnetId: !Ref NATGWSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Table - SecurityVPC - TGW +# ---------------------------------------------------------------------------------------------------------------------- + + TGWRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} TGW Attach" + + TGWDefaultRouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref TGWRouteTableAZ1 + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBEAZ1 + + TGWRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWRouteTableAZ1 + SubnetId: !Ref TGWSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# SecurityVPC - NAT Gateways with EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + # NATGWEIPAZ1: + # Type: AWS::EC2::EIP + # DependsOn: SecurityIGWAttachment + # Properties: + # Domain: vpc + # Tags: + # - Key: Name + # Value: !Sub "${SecurityNamePrefix} NAT GW" + + # NATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref NATGWSubnetAZ1 + # AllocationId: !GetAtt NATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${SecurityNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Table - SecurityVPC - Data +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesDataRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} Firewall Data" + + VMSeriesDataRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref VMSeriesDataRouteTableAZ1 + SubnetId: !Ref VMSeriesDataSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer +# ---------------------------------------------------------------------------------------------------------------------- + + GWLB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: VMSeries-Gateway-Load-Balancer + Type: gateway + Subnets: [!Ref VMSeriesDataSubnetAZ1] + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: true + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Gateway Load Balancer" + + # ---------------------------------------------------------------------------------------------------------------------- + # Gateway Load Balancer - VPC Endpoint Service + # ---------------------------------------------------------------------------------------------------------------------- + + GWLBEService: + Type: AWS::EC2::VPCEndpointService + Properties: + GatewayLoadBalancerArns: + - !Ref GWLB + AcceptanceRequired: false + + DescribeGWLBEServiceLambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: root + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: arn:aws:logs:*:*:* + - Effect: Allow + Action: + - ec2:DescribeVpcEndpointServiceConfigurations + - ec2:DescribeVpcEndpointServicePermissions + - ec2:DescribeVpcEndpointServices + Resource: "*" + + DescribeGWLBEService: + Type: AWS::Lambda::Function + Properties: + Handler: "index.handler" + Role: !GetAtt + - DescribeGWLBEServiceLambdaExecutionRole + - Arn + Code: + ZipFile: | + import boto3 + import cfnresponse + import json + import logging + import time + def handler(event, context): + logger = logging.getLogger() + logger.setLevel(logging.INFO) + responseData = {} + responseStatus = cfnresponse.FAILED + logger.info('Received event: {}'.format(json.dumps(event))) + + if event["RequestType"] == "Delete": + responseStatus = cfnresponse.SUCCESS + cfnresponse.send(event, context, responseStatus, responseData) + + if event["RequestType"] == "Create": + try: + VpceServiceId = event["ResourceProperties"]["Input"] + except Exception as e: + logger.info('VPC Endpoint Service Id retrieval failure: {}'.format(e)) + return + + try: + ec2 = boto3.client('ec2') + except Exception as e: + logger.info('boto3.client failure: {}'.format(e)) + return + + start_time = time.time() + elapsed_time = 0 + + while elapsed_time < 890: # Check every minute for up to 10 minutes, default 570 + try: + response = ec2.describe_vpc_endpoint_service_configurations( + Filters=[ + { + 'Name': 'service-id', + 'Values': [VpceServiceId] + } + ] + ) + except Exception as e: + logger.info('ec2.describe_vpc_endpoint_service_configurations failure: {}'.format(e)) + time.sleep(10) # Sleep for one minute before retrying + elapsed_time = time.time() - start_time + continue + + ServiceName = response['ServiceConfigurations'][0]['ServiceName'] + logger.info('service name: {}'.format(ServiceName)) + responseData['Data'] = ServiceName + responseStatus = cfnresponse.SUCCESS + cfnresponse.send(event, context, responseStatus, responseData) + return + + # If we reach this point, it means 10 minutes have passed without success + logger.info('Timed out after 10 minutes') + responseStatus = cfnresponse.FAILED + responseData['Error'] = 'Timed out after 10 minutes' + cfnresponse.send(event, context, responseStatus, responseData) + Runtime: python3.12 + Timeout: 900 #default 900 line 526 =570 before + + GWLBESerivceName: + Type: Custom::DescribeVpcEndpointServiceConfigurations + Properties: + ServiceToken: !GetAtt DescribeGWLBEService.Arn + Input: !Ref GWLBEService + +# ---------------------------------------------------------------------------------------------------------------------- +# Security VPC - Gateway Load Balancer Endpoint +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBEAZ1: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref SecurityVPC + ServiceName: !GetAtt GWLBESerivceName.Data + VpcEndpointType: GatewayLoadBalancer + SubnetIds: [ !Ref GWLBESubnetAZ1 ] + +# ---------------------------------------------------------------------------------------------------------------------- +# Security VPC - Management & Data Security Group +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Management" + GroupDescription: VM-Series Management Security Group + SecurityGroupIngress: + - CidrIp: !Ref RemoteManagementCIDR + FromPort: 22 + ToPort: 22 + IpProtocol: tcp + - CidrIp: !Ref RemoteManagementCIDR + FromPort: 443 + ToPort: 443 + IpProtocol: tcp + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesDataSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Data" + GroupDescription: VM-Series GWLB Management Security Group + SecurityGroupIngress: + - IpProtocol: udp + FromPort: 6081 + ToPort: 6081 + CidrIp: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + SecurityGroupEgress: + - IpProtocol: '-1' # All protocols + CidrIp: 0.0.0.0/0 # All IPs + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Data" + + VMSeriesPublicSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix} VM-Series Public" + GroupDescription: VM-Series GWLB Data Security Group + SecurityGroupIngress: [] + SecurityGroupEgress: + - IpProtocol: '-1' # All protocols + CidrIp: '0.0.0.0/0' # All IPs + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + GWLBServiceId: + Description: GWLB Service ID for use for additional GWLB Endpoints + Value: !GetAtt GWLBESerivceName.Data + Export: + Name: GWLBServiceId + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName + + TgwId: + Description: The ID of the Transit Gateway + Value: !Ref TransitGateway + Export: + Name: TgwId + + TgwSpokeRouteTableId: + Description: The ID of the Spoke Transit Gateway Route Table + Value: !Ref TGWSpokeRouteTable + Export: + Name: TgwSpokeRouteTableId + + TgwSecurityRouteTableId: + Description: The ID of the Security Transit Gateway Route Table + Value: !Ref TGWSecurityRouteTable + Export: + Name: TgwSecurityRouteTableId + + SecurityVPC: + Description: The ID of the Security VPC + Value: !Ref SecurityVPC + Export: + Name: SecurityVPC + + GWLB: + Description: The ID of the GWLB + Value: !Ref GWLB + Export: + Name: GWLB + + VMSeriesManagementSecurityGroup: + Description: The ID of the VMSeriesManagementSecurityGroup + Value: !Ref VMSeriesManagementSecurityGroup + Export: + Name: VMSeriesManagementSecurityGroup + + NATGWSubnetAZ1: + Description: The ID of the NATGWSubnetAZ1 + Value: !Ref NATGWSubnetAZ1 + Export: + Name: NATGWSubnetAZ1 + + VMSeriesPublicSecurityGroup: + Description: The ID of the VMSeriesPublicSecurityGroup + Value: !Ref VMSeriesPublicSecurityGroup + Export: + Name: VMSeriesPublicSecurityGroup + + VMSeriesDataSecurityGroup: + Description: The ID of the VMSeriesDataSecurityGroup + Value: !Ref VMSeriesDataSecurityGroup + Export: + Name: VMSeriesDataSecurityGroup + + VMSeriesDataSubnetAZ1: + Description: The ID of the VMSeriesDataSubnetAZ1 + Value: !Ref VMSeriesDataSubnetAZ1 + Export: + Name: VMSeriesDataSubnetAZ1 diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml new file mode 100644 index 0000000..5ec28bf --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml @@ -0,0 +1,451 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + VM-Series Deployment Stack into existing VPC / GWLB. + +# ====================================================================================================================== +# Parameters / Maapings +# ====================================================================================================================== + +# Updated to 11.0.2-h1 Custom AMIs +Mappings: + PANFWRegionMap: + eu-north-1: + AMI: ami-04527e8b09f7eb406 + eu-west-1: + AMI: ami-0a44de9db9dd95a6c + us-east-1: + AMI: ami-06899917ae226f293 + us-east-2: + AMI: ami-0fd909759c03f961d + us-west-1: + AMI: ami-09dd60214faaafc71 + us-west-2: + AMI: ami-04d4a07840a04301c + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: __source_s3_bucket_name__ + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "VM-Series Deployment" + Parameters: + - VMSeriesAMI + - VMSeriesInstanceType + - SecurityNamePrefix + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + - RemoteManagementCIDR + + ParameterLabels: + VMSeriesAMI: + default: "AMI ID of VM-Series" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer Target Group +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Sub "${SecurityNamePrefix}-VM-Series" + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 80 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !ImportValue SecurityVPC + + TargetType: instance + Targets: + - Id: !Ref VMSeriesInstanceAZ1 + Tags: + - Key: Name + Value: "GWLB VM-Series" + + GWLBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref GWLBTargetGroup + LoadBalancerArn: !ImportValue GWLB + +# ---------------------------------------------------------------------------------------------------------------------- +# VM-Series Bootstrap Resrouces +# ---------------------------------------------------------------------------------------------------------------------- + + BootstrapRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + Policies: + - PolicyName: BootstrapRolePolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: 's3:ListBucket' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref SampleS3Bucket + - Effect: Allow + Action: 's3:GetObject' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref SampleS3Bucket + - /* + BootstrapInstanceProfile: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref BootstrapRole + AWSLambdaExecutionRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Version: 2012-10-17 + Path: / + Policies: + - PolicyDocument: + Statement: + - Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + Effect: Allow + Resource: 'arn:aws:logs:*:*:*' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-CW' + - PolicyDocument: + Statement: + - Action: + - 's3:PutObject' + - 's3:DeleteObject' + - 's3:List*' + Effect: Allow + Resource: + - !Sub 'arn:aws:s3:::${SampleS3Bucket}/*' + - !Sub 'arn:aws:s3:::${SampleS3Bucket}' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-S3' + - PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + - !Sub 'arn:aws:s3:::${SourceS3BucketName}/*' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-S3-Get' + RoleName: !Sub '${AWS::Region}-AWSLambdaExecutionRole' + SampleS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Select + - '2' + - !Split + - / + - !Ref 'AWS::StackId' + + LambdaS3CustomResource: + Type: 'Custom::S3CustomResource' + DependsOn: AWSLambdaExecutionRole + Properties: + ServiceToken: !Ref AWSLambdaFunctionVersion + the_bucket: !Ref SampleS3Bucket + source_bucket: !Ref SourceS3BucketName + source_path: !Ref SourceS3BucketPath + FrontendGwlbeAz1: !ImportValue FrontendGwlbeAz1 + dirs_to_create: + - config + - content + - license + - software + + + AWSLambdaFunctionVersion: + Type: 'AWS::Lambda::Version' + Properties: + FunctionName: !Ref AWSLambdaFunction + + AWSLambdaFunction: + Type: 'AWS::Lambda::Function' + Properties: + Description: Create VM-Series bootstrap bucket from Jam source + FunctionName: !Sub '${AWS::Region}-lambda' + Handler: index.handler + Role: !GetAtt + - AWSLambdaExecutionRole + - Arn + Timeout: 360 + Runtime: python3.12 + Code: + ZipFile: | + import boto3 + import cfnresponse + import textwrap + + def handler(event, context): + # Init ... + the_event = event['RequestType'] + print("The event is: ", str(the_event)) + response_data = {} + s_3 = boto3.client('s3') + + # Retrieve parameters + the_bucket = event['ResourceProperties']['the_bucket'] + dirs_to_create = event['ResourceProperties']['dirs_to_create'] + source_bucket = event['ResourceProperties']['source_bucket'] + source_path = event['ResourceProperties']['source_path'] + frontend_gwlbe_az1 = event['ResourceProperties']['FrontendGwlbeAz1'] + + try: + if the_event in ('Create', 'Update'): + print("Requested folders: ", str(dirs_to_create)) + for dir_name in dirs_to_create: + print("Creating: ", str(dir_name)) + s_3.put_object(Bucket=the_bucket, + Key=(dir_name + + '/')) + s3_copy = boto3.resource('s3') + + # Create init-cfg.txt dynamically + init_cfg_content = textwrap.dedent(f"""\ + type=dhcp-client + hostname=BrewGuardian-NGFW + ip-address= + default-gateway= + netmask= + ipv6-default-gateway= + vm-auth-key= + panorama-server= + panorama-server-2= + tplname= + dgname= + dns-primary=8.8.8.8 + dns-secondary=8.8.4.4 + authcodes= + plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable,aws-gwlb-associate-vpce:{frontend_gwlbe_az1}@ethernet1/1.1 + op-command-modes=jumbo-frame,mgmt-interface-swap + op-cmd-dpdk-pkt-io=on + dhcp-send-hostname=yes + dhcp-send-client-id=yes + dhcp-accept-server-hostname=no + dhcp-accept-server-domain=yes + """) + s_3.put_object(Body=init_cfg_content, Bucket=the_bucket, Key='config/init-cfg.txt') + + copy_source = { + 'Bucket': source_bucket, + 'Key': source_path + '/bootstrap.xml' + } + s3_copy.meta.client.copy(copy_source, str(the_bucket), 'config/bootstrap.xml') + copy_source = { + 'Bucket': source_bucket, + 'Key': source_path + '/authcodes' + } + s3_copy.meta.client.copy(copy_source, str(the_bucket), 'license/authcodes') + elif the_event == 'Delete': + print("Deleting S3 content...") + b_operator = boto3.resource('s3') + b_operator.Bucket(str(the_bucket)).objects.all().delete() + # Everything OK... send the signal back + print("Operation successful!") + cfnresponse.send(event, + context, + cfnresponse.SUCCESS, + response_data) + except Exception as e: + print("Operation failed...") + print(str(e)) + response_data['Data'] = str(e) + cfnresponse.send(event, + context, + cfnresponse.FAILED, + response_data) + +# ---------------------------------------------------------------------------------------------------------------------- +# VM-Series Deployment +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesManagementENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series Management + GroupSet: [ !ImportValue VMSeriesManagementSecurityGroup ] + SubnetId: !ImportValue NATGWSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesManagementEIPAZ1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesManagementEIPAssociationAZ1: + Type: AWS::EC2::EIPAssociation + Properties: + AllocationId: !GetAtt VMSeriesManagementEIPAZ1.AllocationId + NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 + + VMSeriesPublicENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series Public + GroupSet: [ !ImportValue VMSeriesPublicSecurityGroup ] + SubnetId: !ImportValue NATGWSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + VMSeriesPublicEIPAZ1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + VMSeriesPublicEIPAssociationAZ1: + Type: AWS::EC2::EIPAssociation + Properties: + AllocationId: !GetAtt VMSeriesPublicEIPAZ1.AllocationId + NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 + + VMSeriesDataENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series GWLB Data - AZ1 + SourceDestCheck: false + GroupSet: [ !ImportValue VMSeriesDataSecurityGroup ] + SubnetId: !ImportValue VMSeriesDataSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Data" + VMSeriesInstanceAZ1: + Type: AWS::EC2::Instance + UpdateReplacePolicy: Delete + Properties: + DisableApiTermination: false + InstanceInitiatedShutdownBehavior: stop + EbsOptimized: true + ImageId: !FindInMap + - PANFWRegionMap + - !Ref 'AWS::Region' + - AMI + InstanceType: m5.large + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + DeleteOnTermination: true + VolumeSize: 60 + Encrypted: true + KeyName: !Ref KeyName + Monitoring: false + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series" + NetworkInterfaces: + - NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 + DeviceIndex: '1' + - NetworkInterfaceId: !Ref VMSeriesDataENIAZ1 + DeviceIndex: '0' + - NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 + DeviceIndex: '2' + IamInstanceProfile: !Ref BootstrapInstanceProfile + UserData: + Fn::Base64: + Fn::Join: + - ';' + - - "mgmt-interface-swap=enable" + - !Sub "vmseries-bootstrap-aws-s3bucket=${SampleS3Bucket}" + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json new file mode 100644 index 0000000..dc94325 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json @@ -0,0 +1,76 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ec2:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "elasticloadbalancing:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudwatch:ListMetrics", + "cloudwatch:GetMetricStatistics", + "cloudwatch:Describe*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "autoscaling:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTransitGatewayRoute", + "ec2:DisableTransitGatewayRouteTablePropagation", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:EnableTransitGatewayRouteTablePropagation", + "ec2:ReplaceTransitGatewayRoute", + "ec2:ReplaceRoute" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:ExportTransitGatewayRoutes", + "ec2:GetTransitGatewayRouteTablePropagations", + "ec2:GetTransitGatewayAttachmentPropagations", + "ec2:GetTransitGatewayPrefixListReferences", + "ec2:GetTransitGatewayPolicyTableAssociations", + "ec2:GetSubnetCidrReservations", + "ec2:GetTransitGatewayMulticastDomainAssociations", + "ec2:GetTransitGatewayRouteTableAssociations", + "ec2:GetTransitGatewayPolicyTableEntries", + "ec2:SearchTransitGatewayRoutes" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetConnectionStatus", + "ssm:ResumeSession", + "ssm:TerminateSession", + "ssm:StartSession" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeInstanceInformation", + "ssm:DescribeSessions" + ], + "Resource": "*" + } + ] +} diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes b/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes new file mode 100644 index 0000000..692cff4 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes @@ -0,0 +1 @@ +D6476548 diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml b/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml new file mode 100644 index 0000000..ad6fa33 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml @@ -0,0 +1,1371 @@ + + + + + + $5$orocpecl$7QCjNeKl9wHPVQditT9R5K9Dm1mWFDHgxG96EJiIbe3 + + + yes + + + c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== + + + + + + apiadmin + + + + $5$ufpyldiy$UseRElSc4.exQmd/Pf/vM7jckgnAdj6AgH9lrFAfff7 + + + + + + + + + + + + + yes + 5 + + + yes + 5 + + + yes + 5 + + + yes + 10 + + + yes + 5 + + + + yes + + + + 10 + 10 + + 100 + 50 + + + + 10 + 10 + + 100 + 50 + + + + + + 100 + yes + + + + + + + + + enable + + + + + + + + + c0542737 + c0542737 + Sep 19 22:02:47 2022 GMT + aws-jam-pan + Sep 19 22:02:47 2023 GMT + aws-jam-pan + 1695160967 + yes + aws-jam-pan + -----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUJ80bMPtUHYNIJkYll2z6caWkgUUwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLYXdzLWphbS1wYW4wHhcNMjIwOTE5MjIwMjQ3WhcNMjMw +OTE5MjIwMjQ3WjAWMRQwEgYDVQQDDAthd3MtamFtLXBhbjCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAO3xOHCBI/Osyc5fCzugD32Y+cv/hAeFdPIp5XCY +DPO51oKhfrhBmATnVk6TauN9D9KL2NugMPZZTl9gg+A2XHCsbY/1SZWOl2rd9R8c +1HzFjMWOowA475AH0voDKCM6WoF+BaSs3Yo/V1S4yEYCNk//6DQMq2J27tl58e7X +bKSwF7U1XzDSlZeTdo37suWS3r+19+WbSZ51awZOWWz4Sc3ESrGrEuVPMAc59jon +/bwLwDAbvra9ALrEHKaA2noL5T0OdETtEOxOkECpacvciQZAsQlG4EhN67+ts6fz +Z/OhE1inZsrC9+h1PCTAI6fmEebp3uC2pIO0c9Ug+G1XnDsCAwEAAaM1MDMwDAYD +VR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILcGFuLWphbS1wYW4w +DQYJKoZIhvcNAQELBQADggEBADfxmLLV22oK1bjIFEVrGt9nAdSE3a6EHOfrI4t2 +QxHoPZXzIxEHbO200ioLqKotoZ21/exPv2v+z/6lX8ynqMwSEItQutVjQ6HH4t3/ +Hf7yva+tYfhkrjQSDEAK7N/Ne54F5Oq8rIwXyx8DQ/l7fQWXb9XUVk88o5bpblv9 +NRcGJU6r70Q0MD//9CcOQPihS6shQcsf9NHr3fb6AvLLdFufODhqdo7gYPYefBrV +lkMohz1P26eNZp9mDxrWRJ0sZJeCvw5YMo12cN+hb2ncjdzsYuDlccWk1ItITTRK +RzZTg6F3RhZMOMfm0Co59Zl4otcQYEJXOL9BlJrx8mot+xQ= +-----END CERTIFICATE----- + + RSA + -AQ==8FHErBAt+yHUIudjfdHT0/93eNA=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+s9JXWq/ZS2hGmEWv7PpHog0IiotOjtSqgQ8gyt6wGSTZ92wWzdead3UJuDLwxjTxaxLAW5HiKfBxT9DKMiE1LRv/k7JwRuT3bH97nsbo9mtTT7XmHI0YDN3xxWpHaGwUTc1h6HP7K7mov1n/cJzfBUMXN26UCAGoPwPGYc8nkmuo7jWov60hOnc0IoKufjNlDiX+p7q9YiuytYSvNT7r5wCZWVo8xuc4yX8/u93Lo5qbmAnKqmSP7Af8miYbEz0vucszy4z31nGX44ksyuxm97fJA+gkpV1aSbHFSVMKfmactdDZ93uR7zLvQ+94F/kHfTQj0Ddv+HeAXi24VXk6R9AdsmqY3pfpvrk9mQsaF7+rxbGT/5fjusb5HapWdTHDjofq72f2ldGPzHAFIZ182G/4imfwAm3o4D2heii/zlooVquQ1J1vyNd3pPfa4yzu6XBNnZhBsYj+u7uH1oZ5tXsZfG62ylOCTRJBvVFPqJImGezfQqIC6rwGcMX4Rz+3ni/YDoYRPiJEPZKsl3KMRCDOjht3ZQZm7d0vLHP8RrOyl6YfNx1Q+Y6jE8n+b81vMA5fAawg6zBi7+E6vbQ/0uHP869hh2RWlcxYp4ApeXWVco0b3JoqEn1BthwiRxEdFdvHLIRxdsCIsxI1GAjlr/AmpV5qPjR2X9cuuubeNTn5yfYWj/zVzJRziGXz1fuXodqveeVD/UVXuO4mLKX0fZBCgg7W5qRjSqT3io0VnK4RtGQk8iquCAD0xRowtxVgESxtJi5jc3zhOdcxOMRDo84u047RYGhcynyaU5HMXPDrcaawAloSmSv1nT3B1reJDxPoCZ3uww3vJCu0wpbuFW9aTnnD2ETBbnBet2ZWW0lbcWZEeHQVbOLWay+DrqXEX4DcKyMZEpcTjlYDhKsD3XGlHsIUxwTfliHjCge4w81OFYi3VxJccAlj+IefE8M0jWkTQC05NRtEjOHWaT7bpTPaDsdKiWaOjwFSLuFPUsmtsoTDjQLM48HpjSHXcNgWnSOzwxSClyn4FGMc3AQ+3u9wyk9keyRbecLhv1QIrCzyujVHV07zYmugosDrp4sKfI+eIdu8129VTSIuVAQOqXeU9epu/V5IZfHuRaxB1gW2RmC8cQR7F/l1nUZhD+pHWaiA2bpwe+JicRIT0i8tWPgIpj6zjXS0JNdsh0vyoko1lHZIvmiXLbRs+5ZbCtOQDje6QveJSZ9HEZuAsqpljNMfElt98zFAoUs5r/vb+HrJJKyK6Lpe9S3UZozkLj8ie7WnVCGHhsBVmVeEKbOu/+c8bT+XI9716JhzpGkibhNyQET41c5WgWFQW5GYcfl1M5vgieNvBZoP2RsfuFWVygXUG/WhWQP1dms41uksyAs2tCEoSnvo8X5if/QopzUIc6pjh+73h5h+A11nEN7Oq4WXK0Gy3TsNqU/J3P4n3ZqgwOIIRa4tcRwHbxlaG878Vpt+CRu26K4fBAophZ8x7jBuL2IqKvSPz6fM/kThuF7BXI2dVqsGDtUtXPF5EITl2+6xL8Qz/kLnpg/KqnfEuNsWiMB3xKFrx1ce+HBgOlMAxVY98BNAb2L4a+A6UZyZu/B7BaPsypkuHb/j/bsa3/VRmUQUxvloEH1mw8aSch9OWuBdD7Wp7O0X/d83kCr3w+QBQ5dZNPBklkSfXo2IeAYZdfP8rR/drXIycw6QFK6xwhpBKmr7MgLywuD8BNKcYVqDlOQWAayycl9MzON0c7qOiidEQHcLkr2tMF8aAvQ2hPuoUn1vU+4GlUVb2fSSUdurr3g/nOlhCuaQeGUq47F+myxZTCHuFcuX+x/6s0wCeqYGOQ8t5X9wdtHzIqQHRzBR4dZidAm0CUQuWZT82E1b1vXbUlNc2iOUP5r3Nrg4IDWELIyV0AQ6/JTn+U3Lxn2RcjtI/InAiLIkNY7hh5ZQtGMTHGuqVtT+BdugxFfvf7w/UvycoctcSjqtAgbeqHpw8nJdi6uXTGwEFk5TxHrqO+svmiA2zdiTySwaRbUr4je4L7Qz+xKCfcWdZwEKX7GadAhRXR3f6j0UE8XYTkCnBUOnrEJ/7phEizGvj7+QZLkXr1iw3MACA7JcLc5vYWvBOuoDHYwT6DwYL6kIPSHLvh/OqfTCQEnelrJ3vthkpG8KdmKCT+4sd24MOCuFCRKSXW39fThHotqD5EyWWl + + + 45e914f0 + 45e914f0 + Sep 19 22:14:43 2022 GMT + UNTRUST + Sep 19 22:14:43 2023 GMT + UNTRUST + 1695161683 + yes + UNTRUST + -----BEGIN CERTIFICATE----- +MIICzzCCAbegAwIBAgIUD2I/CdHONbnQiR8Lk9RC6ecwfeswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVU5UUlVTVDAeFw0yMjA5MTkyMjE0NDNaFw0yMzA5MTky +MjE0NDNaMBIxEDAOBgNVBAMMB1VOVFJVU1QwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDTrm1l2N2baQy0A2kH4N2pBhMQ5CE7+ZVdXioXSbUWiX4uAUyG +qCS3N3HW1PknTTR6fmJfGA9kyB5Owni44z+fP2aPhk/7HtvzgFH/WXFLJr82weqo +TLXp7PlmIJ+Q7z5vl/l1RUrfElfVbbjcVFyBFAYmnrmdvIvs+T+G0CSq1xuUz/9V +TSFvw6VPVQgdvaOnSKd9Ix2iTXtjEqIO8tSj9HhxBsfVlnjFQ0635MTx36MCMyb2 +Tar/XbkcIQ5Ap6J/9ZxUgYo4dkf7mQK/gla1vtujYMeKSUFTbj4XUPzykrx8u+iT +GySuZkzZ0MRVetz8ynfLN+10u4AfhFa0H6SHAgMBAAGjHTAbMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQDOTEbWER+bTcr+3CFN +5kUP446dXkNZWMPt2+TEtSF43zN4DlSqtAK7nj3HrD5n5DQjxNePjtt9TNK3y+4B +PPGrkg5DN1aFtbdE79gWh/RHeX1UO2CMG4rsYZFyIk0u+sY9JetLJtI6OY11cy7J +56Ry6PEVopEPPQ+YTEayPKxnFHJ07gBAaBcnhCpizLGyC1NvAZAX+iye3O+S0lSv +4j5m0zfzHYguRC92Ljzt1KuwPE9JnddflMq+2q6zUU9BLvTAuu6awm4eJE3fbWek +j/2KjM33Yzd/ff0qsfEMHmNrQaUZlf21MUDs291Xmrr0NUbjHqEzDQGyKxBU4aCv +Iwyg +-----END CERTIFICATE----- + + RSA + -AQ==TnkwOp9ykV8BjzuoTTgjlA4wiJY=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+tCTDFd/y67HfO+UDdkpWGNPJQPn8jxKN392ZvTnKl2/22S0q+fFI0BCLNIwkJ+aul8x5ebItDj8Wyiu3Qel7t9PWwkHYJ+5BrG0r/MTVe38C1GigdA9AnjQLB+wBnPEmUl9bu4h8EO79rfQUDdIR3DZjVapmSa1OuiRWAYScTyOZZJzQ4Plhjl176lZ4OOj6yXysArHznrtlFWABtH0aVnRx46K24Ci3Z4TuXmHDSJMoxGQgFKs0PJh6ONvVf9jOpb1TDMPQ3PyowXW2tKZD7KzcoKt2JT0Ebg36kEjl4Ab4PRGSTx9YJDE0fNmL2c6SkS+h/RYynMBAtfMlIKpTG74VCrBak5j6CCkb4JNAjlrooV9eJpLU9fB/kaMktrKEEVRLsvDcdAADCJ2Jfp06R4FdBsaLc+MJnH2kEwpRHlId7lxQTH+PFyH8ZJH46hv0MwA5K0rf4QmHdGvDZtEv/4OfY+kl6JipE0EO0vLSPz19tupx7Srs2oWEV5rc/Ma+TGULSpxsn6uLUO48JKF4fk3UMgvuu+N8u7TFxquzb61bXOK12aUUfaicO9H5+RzwMKHLEl/u3lK/2He5fOeO3UYEVc+BjzJL5zF0iDctJVEnqpzPVYSj1fzHJ/B6PJhGJKgepGuQaWWkg/DmhDD/FY6OPt3/jIGMvcgwuQ4i67T6a4kpa7nz8vW6s/+alS/Q9F/Sqefne0gVIRCMYEd2bdK5I5jnPAjS1oApWKJTZCs2R2OFQ2aCu0W5+fwQVBkWxmDFRBrqGKGtQF5yKV80HmfgR7Yz3gvqHxQqquDW6FLzvV6lJfnrtOcaGERgzRcKL1TdIdmoybIkPFU9ppBVhvyRsepIMXE5isDgn7DxO2CgQWHFnn4CKi2GkgVA9Job4G2+7pp/0O5AM43h3eTJSndTwmbjJ2lKRBleGw7QZzGjQ8f+0//pBCUtMOEkmHTfWKWZhm0nVMSq4jkpwGlw+xknZKMOalOvZEh68q4wJnDKUVbJwK1PmNeKHUk1MgXszbEbaps2pmZZGqL2OqD4ZPI5yMtgBd/LPAVY/2yjHJy7Oy45gZfOf2Lb592dh4lQg8yLlr9TiM3N44STAv9SB8YLXkeqlbIH5ovzp7PZBQuAXV3+JLU1b/VHhL/Ra+5AVHaVyLZ/nZo+KWnkiYTtEebkLfQtxmL7JirOGbuGk3hCvGyCcB4LkuiflzOZnXjRjdTjTZGzKonRZA14SkB+8A/Fh7Kg4+UC9ZSVcsNY/G1wI1NzkBXceellfM2hXKEJRwn2hYAVRuy9l0TDPfKRTv6XoQ2Qg09weCWrxo/6+1+dKiToYpZ5oGjGuQiVjPLqyNjWQbKwdfDBj3pcUNAQ6TUy4bmMkzG3u2/aVRnYLR7JxGQITRhtoo975raqpjQB5kRi2YPrvNE2wD3Cr75AMQ2Ed5t+fzNdT4/hnu+rSaDD2QTimzyhuNFAhKLWUfQ+ykH//0gWhWgcQwMRu8KpjjWRfUYQ2B/KgBKWoHpKIXDXCjMbnDrxOmMTmwO4MPfDoyXii2aCYJBCwqsLSJa7RI1raKvcBQB0HuL+MBuxlWH216tU/bPVRtT0Lfvu/Gxr+HF4+55Hx05Fu7wT1IiduhPXW3ZaMbmZmHsM8UNtNrfdhnZi1NoVFZ3juSocAdBlyxg25MBzSf+c0PHEGO0GOuRCbZxDqJIIgce8MVQ5M5WlGRfsDuHtqGk8BcY48DLLr/asoO9yS4H/8Eb+EPBtTqpm1kcrnG1cULtJrgNujqN1kI1yYJzLlU4+6NkizMB4wGZwadCgCGAJ0II5iALt+OlbYAN4dGQoAtJM6bnydhBBWU7hcXAoG1JaJki/9jwNh8o2PfWX8NeblZm9/VFzZjDhrXtDbAgRGnLVQFIpqEG2ZzR78b1ZBRVnnlCGIUQxMpzpY9wlICZ5UyWlCVRpvWvBkdX4fvApveihD5up7LD0kn5bspB9pZ0X6uCuPktvgw3exr0BVq9K5+ixzaKSV07/hKogvx19+DVoB8s+9zSQrYRfQK0DgRu3m1iGNlaBBpCnL5kIhHqkEJHqrntIC/aclKGQDvIZB+VF0M/QxyRVZ2OvzVb77O+9ima3PlAoKLS97Y+xjymqcRKsEmNiHqbAlsq5pTMiTaJ3bMqnivURr7fhGHaD8btkYwjqXeKtFoWjfW5JfFrh3FqRQdBeb/ + + + + + aws-jam-pan + + + UNTRUST + + + + + + + + + + + + + no + + + no + + + + no + + + no + + + no + + + + + + + no + + + + + no + + + no + + + no + + 1 + + + + + + + + + yes + + + no + + + + no + + + no + + + no + + + + + + + + + 3 + 5 + wait-recover + + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + + 8 + + + + + aes-128-cbc + + + sha256 + + + group19 + + + 8 + + + + + aes-256-cbc + + + sha384 + + + group20 + + + 8 + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + 1 + + + + + + aes-128-gcm + + + none + + + group19 + + 1 + + + + + + aes-256-gcm + + + none + + + group20 + + 1 + + + + + + + aes-128-cbc + + + sha1 + + + + + + + + + + + + + real-time + + + high + + + high + + + medium + + + medium + + + low + + + low + + + low + + + + + + + + + + + + no + + + 1.25 + 0.5 + 900 + 300 + 900 + yes + + + + + yes + + + + + no + + + no + + + no + + + + ethernet1/1 + ethernet1/1.1 + ethernet1/2 + + + + + + + + + + + + 10.0.0.49 + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 10.0.0.0/8 + + + + + + + no + any + 2 + + + 10.0.0.1 + + + None + + ethernet1/2 + 10 + 0.0.0.0/0 + + + + + + + + + + + + + 10.0.0.99 + 255.255.255.0 + updates.paloaltonetworks.com + + + + + 0 + download-and-install + + + + + US/Pacific + + yes + yes + + 10.0.0.1 + BrewGuardian-NGFW + + + 8.8.8.8 + 8.8.4.4 + + + + + yes + yes + no + yes + + + yes + + + + yes + + + FQDN + + c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== + + + yes + yes + no + yes + + + BrewGuardian-NGFW + 8.8.8.8 + 8.8.4.4 + jumbo-frame,mgmt-interface-swap + + + + + + + + + + + + + ethernet1/2 + + + + + + + ethernet1/1 + + + + + + + ethernet1/1.1 + + + + + + + + + 22 + + + + + + + 221 + + + + + + + 222 + + + + + + + + + + + + any + + + internal + + + Beer Store Data VPC + + + any + + + any + + + any + + + ping + + + application-default + + no + yes + allow + + any + + + any + + + + + external + + + internal + + + Beer Store Data VPC + + + any + + + any + + + any + + + web-browsing + + + application-default + + no + yes + deny + + any + + + any + + + + + Alert + + + alert + + + alert + + + + + + + internal + + + internal + + + Beer Store Frontend VPC + + + Beer Store Data VPC + + + any + + + any + + + ssh + + + any + + no + yes + deny + + any + + + any + + This rule is blocking SSH traffic because they don't need to talk over SSH + + + + Alert + + + alert + + + + + + + external + + + frontend + internal + + + any + + + any + + + any + + + any + + + any + + + any + + yes + yes + allow + + any + + + any + + + + + alert + + + Alert + + + + + + + frontend + + + frontend + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + allow + + + + alert + + + + + + + internal + + + internal + + + any + + + any + + + any + + + any + + + any + + + any + + no + yes + allow + + + + alert + + + + + any + + + any + + + + + any + + + any + + + any + + + any + + + any + + + any + + + ping + + + application-default + + no + yes + allow + + any + + + any + + + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + yes + yes + deny + + any + + + any + + + + + + + + + + + ethernet1/2 + + + + + external + + + internal + + + any + + + any + + any + ipv4 + + + + + + + allow + no + yes + + + deny + no + yes + + + + + + + + + + + any + + + service-https + + + internal + + + external + + + Beer Store Frontend VPC + + + any + + + any + + + any + + + any + + decrypt + yes + default + yes + + + + + + + + + + + + + + + any + + + critical + + + any + + any + client + any + disable + + + + + + + any + + + high + + + any + + any + client + any + disable + + + + + + + any + + + medium + + + any + + any + client + any + disable + + + + + + + any + + + critical + + + any + + any + server + any + disable + + + + + + + any + + + high + + + any + + any + server + any + disable + + + + + + + any + + + medium + + + any + + any + server + any + disable + + + + + + + + + + WW's profile + + + + + + + + + any + + + any + + + any + + any + any + any + disable + + + + + + + + yes + + + + + medium + + abortion + abused-drugs + adult + gambling + phishing + + + command-and-control + grayware + hacking + malware + questionable + ransomware + weapons + + + + abused-drugs + adult + command-and-control + cryptocurrency + gambling + grayware + hacking + high-risk + malware + medium-risk + newly-registered-domain + phishing + questionable + ransomware + real-time-detection + weapons + + + + + high-risk + medium-risk + newly-registered-domain + cryptocurrency + real-time-detection + artificial-intelligence + + yes + + adult + questionable + abused-drugs + hacking + gambling + weapons + malware + phishing + command-and-control + grayware + ransomware + scanning-activity + + + + + + + + + + + + critical + + any + any + disable + + + + + + + high + + any + any + disable + + + + + + + medium + + any + any + disable + + + + + + + low + + any + any + disable + + + + + + + + + disable + + + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + + + + alert + + + alert + + + alert + + + alert + + + alert + + + + + +
+ + 10.1.0.0/16 + + + 10.2.0.0/16 + + + 10.2.1.100 + +
+ + + + ethernet1/1 + ethernet1/2 + ethernet1/1.1 + + + + + + + + diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt b/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt new file mode 100644 index 0000000..9b1bd46 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt @@ -0,0 +1,20 @@ +type=dhcp-client +hostname=BrewGuardian-NGFW +ip-address= +default-gateway= +netmask= +ipv6-default-gateway= +vm-auth-key= +panorama-server= +panorama-server-2= +tplname= +dgname= +dns-primary=8.8.8.8 +dns-secondary= +authcodes= +op-command-modes=jumbo-frame,mgmt-interface-swap +op-cmd-dpdk-pkt-io=on +dhcp-send-hostname=yes +dhcp-send-client-id=yes +dhcp-accept-server-hostname=no +dhcp-accept-server-domain=yes diff --git a/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md b/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md new file mode 100644 index 0000000..5194e01 --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md @@ -0,0 +1,81 @@ +The "Hop & Code" owners are convinced that our competitor “Sneaky Suds” is exfiltrating our secret recipes. + +Your Application development team found some very strange behaviour on the Beer Database Server and asked you to have a deeper look into it to figure out what's going on. After some investigations, you realized that no outbound traffic gets analyzed by the Palo Alto Networks Firewall. That's something that we have to fix. + +You started the journey by conducting a comprehensive audit of the existing AWS infrastructure. With a discerning eye, you created a detailed diagram of the AWS environment. You mapped out the route tables of every VPC and the Transit Gateway. + +
+

Full Starting Diagram with Route Tables

+
+ + +## Task + +**Redirect all outbound traffic from the Beer Store Data Database Server to the Palo Alto Networks Firewall** + +1. First, login to the Firewall. (**Helpful Info Section**) + +2. Check the Firewall Monitor traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. ((**Helpful Info Section**) + +3. Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the Transit Gateway.
+
+ +## Task Validation + +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which Application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +- Input the Name of the blocked Application in the answer field to complete the task.
+
+ +## Helpful Info +**To Login into the VM Series Firewall Web UI** +- Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" +- Open a browser window and navigate to https://("Security VM-Series-EIP") +- Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 + +**How to see the Traffic Logs inside the Firewall** +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the Monitor Traffic window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ + +**Login into the Beer Store Data Database Server** +- Use the Session Manager to log into the Server +- The name of the VM is "Beer Store Data Database" + +**How to find the server's private IP?** +- On the AWS Console go to EC2 +- On the EC2 Dashboard click on Instances +- The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall)
+
+ +## Inventory +- Palo Alto Networks NGFW VM-Series +- Amazon EC2 +- Amazon VPC +- AWS Systems Manager (SSM) +- AWS Lambda +- AWS AWS Tranist Gateway +- AWS Gateway Load Balancer
+
+ +## Services You Should Use +- Palo Alto Networks NGFW VM-Series +- Amazon EC2 +- Amazon VPC (Route tables)
diff --git a/aws-vmseries-with-gwlbe-CFT/samplereadme.md b/aws-vmseries-with-gwlbe-CFT/samplereadme.md new file mode 100644 index 0000000..9ada70f --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/samplereadme.md @@ -0,0 +1,324 @@ +# aws-panw-vmseries-cft-deployment + +This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. + +The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. + +**Duration**: It will take approximately 2 hours to successfully complete this lab. + +**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. + +## Outline + +
+

Full Starting Diagram with Route Tables

+
+ +- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. + + +You can set up this environment in the following way: + +### Rapid S3 Setup + +**Note:** You will need access to AWS CloudShell for this mode of setup. + +1. Login to the AWS Console and change to the region of your choosing. Supported regions are: + - eu-north-1 + - eu-west-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 +2. Open AWS CloudShell, wait for the CLI prompt to show up. +3. Clone the github repository. +``` +git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources +``` +4. Run the setup command. +``` +./setup-cft.sh +``` + +Once the script completes execution, you should be able to see the output as shown below. +``` +Setup completed successfully. Please proceed to CFT deployment. +Please use the below Template URL for CFT deployment. +TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml +``` +5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated + + +## Please go through the following cases in order to run the Use Cases + + +## Use Case 1: Inspect outbound traffic using VM Series + +In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: +## Task + +**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: + + 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to + the correct resource + + 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the + following: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in filter by VPC field the "Beer Store Data VPC" + 4. Next, go to route tables and select the "Beer Store Data Private route table" + 5. In the route table click on routes (see below) +
+

+
+ 6. Click Edit routes and do the following changes: + + 1. Remove the route 10.0.0.0/8 -> Target TGW + 2. Change the route 0.0.0.0/0 -> TGW + 3. Click Save + +7. Once you made the changes your route should look like the example below +
+

+
+ +**Step 2**- Now login to the firewall. Go through the following steps: + + - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. + 1. On the AWS Console go to EC2 + 2. On the EC2 Dashboard click on Instances + 3. The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall) + + + - Open a browser window and navigate to https://("Security VM-Series-EIP") + - Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 +
+ +**Step 3**- Now we will do the following steps in order to run the attack: +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + - To Login into the Beer Store Data Database Server: + - Use the Session Manager to log into the Server + - The name of the VM is "Beer Store Data Database" + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ +
+
+ +This is the end of first Use Case. +
+ +## Use Case 2: Inspect east-west traffic using VM-Series + +In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: +## Task + +1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** +2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: + +**Step 1**: To make changes in the AWS routing we will do the following: + 1. Login into the AWS console + 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables +
+

+
+ + 3. Select the Spoke TGW Route Table + 4. In the Route table click on Propagations +
+

+
+ + 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. + 6. Your TGW Route table should looks like the following after the deletion +
+

+
+ +**Step 2**: To find the logs inside the "Firewall: Monitor": + 1. Log into the Palo Alto Networks VM-Series Firewall + 2. Go to Monitor -> Traffic +
+

+ +
+ +Note: The attack is being automatically generated. + + 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) +
+

+
+ +**Step 3**: + 1. In the Monitor logs have a look at the column "TO PORT". +
+

+
+ + 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** + + 3. You should be able to see the following Monitor Logs inside the Firewall +

SSH Logs

+
+ +This is the end of second Use Case. +
+ +## Use Case 3: Inspect inbound traffic using VM-Series + +In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: + +## Task + +1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. + +2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend Public route table + 5. In the route table click on Routes (see below) + +

+ + vi. Click Edit routes and do the following changes: + - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint + - Click Save + + + vii. Once you made the changes your routle should looks like the example below +
+

+
+ +3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step +

Beer Store

+ In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
+

Logs

+ In case you still don't see any traffic logs, check the Internet Edge route table or do the following: + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table + 5. In the route table click on Routes (see below) +
+

+
+ 6. Click "Edit routes" and do the following change: + - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint + - Click Save +

+ 7. Once you made the changes your routle should looks like the example below +
+

+
+ +4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. +

alert

+ +5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: + + 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane +

+ + 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open +

+ + 3. On the new window click on "Actions" tab +

+ + 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. +

+ + 5. Change the "Vulnerability Protection" from "alert" to "strict". +

+ + 6. Click "OK", and the window will close automatically. + + 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. +

+ + 8. A new window will open. Here you will have to click on "Commit" button +

+ + 9. Wait for "Status Complete" and "Result Successful" and close the Window +

+ +6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: +

+
+
+ +- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. +
+
+ +This is the end of third Use Case. +
+ +## Summary +We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. + +## Cleanup Steps +Once you have completed the lab successfully, follow the following steps for the cleanup: + +Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: + + 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed +![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) + 2. Click on **Delete** +![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) +**Note**: it will take approximately 10-15 minutes for the stack to get deleted. + 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option +![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) + + + + + +In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps + +**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack + +1. Select the test-CombinedStack +![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) +2. Click on **Delete** +![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) +3. Once the test-CombinedStack is deleted, Select test-SecurityStack +![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) +4. Click on **Delete** +![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) +5. Finally select the test-stack +![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) +6. Click on **Delete** +![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) +7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** +![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) +![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) + + + + + diff --git a/aws-vmseries-with-gwlbe-CFT/setup-cft.sh b/aws-vmseries-with-gwlbe-CFT/setup-cft.sh new file mode 100644 index 0000000..18b069c --- /dev/null +++ b/aws-vmseries-with-gwlbe-CFT/setup-cft.sh @@ -0,0 +1,27 @@ + +S3_BUCKET_NAME="panw-aws-resources-$(uuidgen)" +S3_FOLDER_NAME="panw-vmseries-gwlb/" + +echo "Creating new S3 bucket ${S3_BUCKET_NAME} for sourcing the CFTs" +aws s3 mb s3://${S3_BUCKET_NAME} + +echo "Creating new folder ${S3_FOLDER_NAME} in the S3 bucket" +aws s3api put-object --bucket ${S3_BUCKET_NAME} --key ${S3_FOLDER_NAME} --content-length 0 + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR + +echo "Updating the CFTs with the new S3 bucket name." +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-root.yaml +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-security.yaml +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-vmseries.yaml + +echo "Starting upload of CFT and bootstrap files to S3 bucket" +aws s3 cp ./vmseries-gwlb-2023/s3-assets/bootstrap.xml s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/s3-assets/init-cfg.txt s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/s3-assets/authcodes s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/cloud-formation-templates s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} --recursive + +echo "Setup completed successfully. Please proceed to CFT deployment." +echo "Please use the below Template URL for CFT deployment." +echo "TEMPLATE_URL = https://${S3_BUCKET_NAME}.s3.${AWS_REGION}.amazonaws.com/${S3_FOLDER_NAME}aws-panw-gwlb-cfn-root.yaml" From 625c0b3d22f9753b50262a0b54dae5367e1eea12 Mon Sep 17 00:00:00 2001 From: Nidhi Pandey Date: Tue, 18 Jun 2024 10:17:51 +0530 Subject: [PATCH 3/5] deleted test file --- test.txt | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 test.txt diff --git a/test.txt b/test.txt deleted file mode 100644 index e69de29..0000000 From be5815d1bed2d23f8fe4f1655dfb724cdd9ec6cc Mon Sep 17 00:00:00 2001 From: Nidhi Pandey Date: Tue, 18 Jun 2024 10:24:24 +0530 Subject: [PATCH 4/5] renamed teh folder --- AWS-VMSeries-GWLB-CFT/README.md | 323 ++++ .../aws-panw-gwlb-cfn-combined.yaml | 1152 ++++++++++++++ .../aws-panw-gwlb-cfn-root.yaml | 391 +++++ .../aws-panw-gwlb-cfn-security.yaml | 706 +++++++++ .../aws-panw-gwlb-cfn-vmseries.yaml | 451 ++++++ ...ws-panw-vmseries-gwlb-team-iam-policy.json | 76 + AWS-VMSeries-GWLB-CFT/s3assets/authcodes | 1 + AWS-VMSeries-GWLB-CFT/s3assets/bootstrap.xml | 1371 +++++++++++++++++ AWS-VMSeries-GWLB-CFT/s3assets/init-cfg.txt | 20 + AWS-VMSeries-GWLB-CFT/sample/samplereadme1.md | 81 + AWS-VMSeries-GWLB-CFT/samplereadme.md | 324 ++++ AWS-VMSeries-GWLB-CFT/setup-cft.sh | 27 + 12 files changed, 4923 insertions(+) create mode 100644 AWS-VMSeries-GWLB-CFT/README.md create mode 100644 AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml create mode 100644 AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml create mode 100644 AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml create mode 100644 AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml create mode 100644 AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json create mode 100644 AWS-VMSeries-GWLB-CFT/s3assets/authcodes create mode 100644 AWS-VMSeries-GWLB-CFT/s3assets/bootstrap.xml create mode 100644 AWS-VMSeries-GWLB-CFT/s3assets/init-cfg.txt create mode 100644 AWS-VMSeries-GWLB-CFT/sample/samplereadme1.md create mode 100644 AWS-VMSeries-GWLB-CFT/samplereadme.md create mode 100644 AWS-VMSeries-GWLB-CFT/setup-cft.sh diff --git a/AWS-VMSeries-GWLB-CFT/README.md b/AWS-VMSeries-GWLB-CFT/README.md new file mode 100644 index 0000000..ca25115 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/README.md @@ -0,0 +1,323 @@ +# aws-panw-vmseries-cft-deployment + +This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. + +The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. + +**Duration**: It will take approximately 2 hours to successfully complete this lab. + +**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. + +## Outline + +
+

Full Starting Diagram with Route Tables

+
+ +- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. + + +You can set up this environment in the following way: + +### Rapid S3 Setup + +**Note:** You will need access to AWS CloudShell for this mode of setup. + +1. Login to the AWS Console and change to the region of your choosing. Supported regions are: + - eu-north-1 + - eu-west-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 +2. Open AWS CloudShell, wait for the CLI prompt to show up. +3. Clone the github repository. +``` +git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources +``` +4. Run the setup command. +``` +./setup-cft.sh +``` + +Once the script completes execution, you should be able to see the output as shown below. +``` +Setup completed successfully. Please proceed to CFT deployment. +Please use the below Template URL for CFT deployment. +TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml +``` +5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated + + +## Please go through the following cases in order to run the Use Cases + + +## Use Case 1: Inspect outbound traffic using VM Series + +In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: +## Task + +**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: + + 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to + the correct resource + + 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the + following: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in filter by VPC field the "Beer Store Data VPC" + 4. Next, go to route tables and select the "Beer Store Data Private route table" + 5. In the route table click on routes (see below) +
+

+
+ 6. Click Edit routes and do the following changes: + + 1. Remove the route 10.0.0.0/8 -> Target TGW + 2. Change the route 0.0.0.0/0 -> TGW + 3. Click Save + +7. Once you made the changes your route should look like the example below +
+

+
+ +**Step 2**- Now login to the firewall. Go through the following steps: + + - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. + 1. On the AWS Console go to EC2 + 2. On the EC2 Dashboard click on Instances + 3. The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall) + + + - Open a browser window and navigate to https://("Security VM-Series-EIP") + - Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 +
+ +**Step 3**- Now we will do the following steps in order to run the attack: +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + - To Login into the Beer Store Data Database Server: + - Use the Session Manager to log into the Server + - The name of the VM is "Beer Store Data Database" + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ +
+
+ +This is the end of first Use Case. +
+ +## Use Case 2: Inspect east-west traffic using VM-Series + +In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: +## Task + +1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** +2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: + +**Step 1**: To make changes in the AWS routing we will do the following: + 1. Login into the AWS console + 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables +
+

+
+ + 3. Select the Spoke TGW Route Table + 4. In the Route table click on Propagations +
+

+
+ + 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. + 6. Your TGW Route table should looks like the following after the deletion +
+

+
+ +**Step 2**: To find the logs inside the "Firewall: Monitor": + 1. Log into the Palo Alto Networks VM-Series Firewall + 2. Go to Monitor -> Traffic +
+

+ +
+ +Note: The attack is being automatically generated. + + 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) +
+

+
+ +**Step 3**: + 1. In the Monitor logs have a look at the column "TO PORT". +
+

+
+ + 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** + + 3. You should be able to see the following Monitor Logs inside the Firewall +

SSH Logs

+
+ +This is the end of second Use Case. +
+ +## Use Case 3: Inspect inbound traffic using VM-Series + +In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: + +## Task + +1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. + +2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend Public route table + 5. In the route table click on Routes (see below) + +

+ + vi. Click Edit routes and do the following changes: + - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint + - Click Save + + + vii. Once you made the changes your routle should looks like the example below +
+

+
+ +3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step +

Beer Store

+ In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
+

Logs

+ In case you still don't see any traffic logs, check the Internet Edge route table or do the following: + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table + 5. In the route table click on Routes (see below) +
+

+
+ 6. Click "Edit routes" and do the following change: + - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint + - Click Save +

+ 7. Once you made the changes your routle should looks like the example below +
+

+
+ +4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. +

alert

+ +5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: + + 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane +

+ + 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open +

+ + 3. On the new window click on "Actions" tab +

+ + 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. +

+ + 5. Change the "Vulnerability Protection" from "alert" to "strict". +

+ + 6. Click "OK", and the window will close automatically. + + 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. +

+ + 8. A new window will open. Here you will have to click on "Commit" button +

+ + 9. Wait for "Status Complete" and "Result Successful" and close the Window +

+ +6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: +

+
+
+ +- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. +
+
+ +This is the end of third Use Case. +
+ +## Summary +We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. + +## Cleanup Steps +Once you have completed the lab successfully, follow the following steps for the cleanup: + +Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: + + 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed +![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) + 2. Click on **Delete** +![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) +**Note**: it will take approximately 10-15 minutes for the stack to get deleted. + 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option +![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) + + + + + +In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps + +**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack + +1. Select the test-CombinedStack +![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) +2. Click on **Delete** +![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) +3. Once the test-CombinedStack is deleted, Select test-SecurityStack +![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) +4. Click on **Delete** +![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) +5. Finally select the test-stack +![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) +6. Click on **Delete** +![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) +7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** +![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) +![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) + + + + diff --git a/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml new file mode 100644 index 0000000..7a4226e --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml @@ -0,0 +1,1152 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Simulated VPC with public facing web frontend on EC2. Intended for use with demo scenario with VM-Series Deployment with AWS Gateway Load Balancer (GWLB). + +# ====================================================================================================================== +# Parameters +# ====================================================================================================================== + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + FrontendNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Beer Store Frontend + + DataNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Beer Store Data + + AttackerNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Sneaky Suds + +# Amazon Linux AMI for simulated workload EC2 + LatestAmiId : + Type : 'AWS::SSM::Parameter::Value' + Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Frontend VPC CIDR IP Range + FrontendVPCCIDR: + Description: >- + CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) + Type: String + Default: 10.1.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC Subnets + FrontendVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Private Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for Public Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetGwlbeCIDRAZ1: + Description: >- + CIDR for GWLB Endpoint Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.3.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) +# DATA +# Data VPC CIDR IP Range + DataVPCCIDR: + Description: >- + CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) + Type: String + Default: 10.2.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Data VPC Subnets + DataVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Data VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + DataVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) +# ATTACKER +# Attacker VPC CIDR IP Range + AttackerVPCCIDR: + Description: >- + CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) + Type: String + Default: 192.168.10.0/23 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Attacker VPC Subnets + AttackerVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.10.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + AttackerVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.11.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Frontend Webserver VPC Parameters" + Parameters: + - FrontendVPCCIDR + - FrontendVPCSubnetPrivateCIDRAZ1 + - FrontendVPCSubnetPublicCIDRAZ1 + - FrontendVPCSubnetGwlbeCIDRAZ1 + - FrontendNamePrefix + - DataVPCCIDR + - DataVPCSubnetPrivateCIDRAZ1 + - DataVPCSubnetPublicCIDRAZ1 + - DataNamePrefix + - AttackerVPCCIDR + - AttackerVPCSubnetPrivateCIDRAZ1 + - AttackerVPCSubnetPublicCIDRAZ1 + - AttackerNamePrefix + - + Label: + default: "Other Parameters" + Parameters: + - RemoteManagementCIDR + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendVPC: + Type: AWS::EC2::VPC + Properties: + EnableDnsSupport: true + EnableDnsHostnames: true + CidrBlock: !Ref FrontendVPCCIDR + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} VPC" + + FrontendIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} IGW" + + FrontendIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref FrontendIGW + VpcId: !Ref FrontendVPC + + FrontendSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Private" + + FrontendSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + FrontendSubnetGwlbeAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref FrontendVPC + CidrBlock: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" + +# ---------------------------------------------------------------------------------------------------------------------- +# TGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + + FrontendTgwAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + TransitGatewayId: !ImportValue TgwId + VpcId: !Ref FrontendVPC + SubnetIds: [!Ref FrontendSubnetPrivateAZ1] + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} VPC Attachment" + + FrontendTGWAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + + FrontendTGWAttachmentPropagationToSecurity: + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId + + FrontendTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref FrontendTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Private" + + FrontendPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendPrivateRouteTable + SubnetId: !Ref FrontendSubnetPrivateAZ1 + + FrontendPrivateClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref FrontendPrivateRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: FrontendTgwAttachment + + FrontendPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + FrontendPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + SubnetId: !Ref FrontendSubnetPublicAZ1 + + FrontendPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: FrontendIGWAttachment + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref FrontendIGW + + FrontendPublicClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref FrontendPublicRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: FrontendTgwAttachment + + FrontendGwlbEndpointRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" + + FrontendGwlbEndpointRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendGwlbEndpointRouteTable + SubnetId: !Ref FrontendSubnetGwlbeAZ1 + + FrontendGwlbEndpointDefaultRoute: + Type: AWS::EC2::Route + DependsOn: FrontendIGWAttachment + Properties: + RouteTableId: !Ref FrontendGwlbEndpointRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref FrontendIGW + + FrontendIgwEdgeRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref FrontendVPC + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} IGW Edge" + + FrontendIgwEdgeRouteTableAssociationAZ1: + Type: AWS::EC2::GatewayRouteTableAssociation + Properties: + RouteTableId: !Ref FrontendIgwEdgeRouteTable + GatewayId: !Ref FrontendIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer Endpoint +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendGwlbeAz1: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !ImportValue GWLBServiceId + VpcEndpointType: GatewayLoadBalancer + SubnetIds: [ !Ref FrontendSubnetGwlbeAZ1 ] + +# ---------------------------------------------------------------------------------------------------------------------- +# Frontend EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + FrontendEC2EIP: + Type: AWS::EC2::EIP + DependsOn: FrontendIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref FrontendEC2Instance + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Webserver EIP" + + FrontendEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${FrontendNamePrefix} Public" + GroupDescription: Security group for FrontendEC2Instance + VpcId: !Ref FrontendVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 10.0.0.0/8 + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Public" + + + FrontendEC2Instance: + Type: AWS::EC2::Instance + DependsOn: FrontendIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref FrontendSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 10.1.2.223 + SubnetId: !Ref FrontendSubnetPublicAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref FrontendEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} Webserver" + UserData: + Fn::Base64: | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + # Pull and run your Docker container + sudo docker pull migara/vuln-app + sudo docker run -d -p 80:8080 migara/vuln-app + +# ---------------------------------------------------------------------------------------------------------------------- +# Frontend VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + # SSM VPC Endpoint + FrontendSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + FrontendSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + FrontendEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref FrontendVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref FrontendSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref FrontendSsmSecurityGroup + + # SSM Security Group + + FrontendSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${FrontendNamePrefix} SSM Endpoint" + GroupDescription: Enable SSM traffic to endpoint + VpcId: !Ref FrontendVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref FrontendVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} SSM Endpoint" + + # SSM Role for EC2 instances + FrontendSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${FrontendNamePrefix} SSM" + + # EC2 Instance Profile + FrontendSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref FrontendSsmInstanceRole + +######################################################################################################################### +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + DataVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref DataVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} VPC" + + DataIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} IGW" + + DataIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref DataIGW + VpcId: !Ref DataVPC + + DataSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref DataVPC + CidrBlock: !Ref DataVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Private AZ1" + + DataSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref DataVPC + CidrBlock: !Ref DataVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Public AZ1" + + +# ---------------------------------------------------------------------------------------------------------------------- +# TGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + DataTgwAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + TransitGatewayId: !ImportValue TgwId + VpcId: !Ref DataVPC + SubnetIds: [!Ref DataSubnetPrivateAZ1] + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} VPC Attachment" + + DataTGWAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + + DataTGWAttachmentPropagationToSecurity: + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId + + DataTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic + Type: AWS::EC2::TransitGatewayRouteTablePropagation + Properties: + TransitGatewayAttachmentId: !Ref DataTgwAttachment + TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId + +# ---------------------------------------------------------------------------------------------------------------------- +# EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + DataEIPAZ1: + Type: AWS::EC2::EIP + DependsOn: DataIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref DataEC2Instance + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Beer Store Data EIP" + + # DataNATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref DataSubnetPublicAZ1 + # AllocationId: !GetAtt DataNATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${DataNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + DataPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref DataVPC + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Private" + + DataPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref DataPrivateRouteTable + SubnetId: !Ref DataSubnetPrivateAZ1 + + DataPrivateDefaultRoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref DataPrivateRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref DataIGW + + DataPrivateClassARoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref DataPrivateRouteTable + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !ImportValue TgwId + DependsOn: DataTgwAttachment + + DataPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref DataVPC + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Public" + + DataPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref DataPublicRouteTable + SubnetId: !Ref DataSubnetPublicAZ1 + + DataPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: DataIGWAttachment + Properties: + RouteTableId: !Ref DataPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref DataIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Data EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + DataEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${DataNamePrefix} Database" + GroupDescription: Security group for Private DB + VpcId: !Ref DataVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 10.0.0.0/8 + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 10.1.0.0/16 + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 10.0.0.0/8 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Database" + + DataEC2Instance: + Type: AWS::EC2::Instance + DependsOn: DataIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref DataSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 10.2.1.100 # Enter the desired private IP address + SubnetId: !Ref DataSubnetPrivateAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref DataEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} Database" + UserData: + Fn::Base64: | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + # Pull and run your Docker container + sudo docker pull migara/beer-vault + sudo docker run -d -p 2222:22 migara/beer-vault +# ---------------------------------------------------------------------------------------------------------------------- +# Data VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + + # SSM VPC Endpoint + DataSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + DataSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + DataEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref DataVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref DataSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref DataSsmSecurityGroup + + # Security Group + DataSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${DataNamePrefix}-ssmendpoint-sg" + VpcId: !Ref DataVPC + GroupDescription: Enable SSM traffic to endpoint + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref DataVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} SSM" + + # SSM Role for EC2 instances + DataSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${DataNamePrefix} SSM" + + # EC2 Instance Profile + DataSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref DataSsmInstanceRole + +######################################################################################################################### + +# ---------------------------------------------------------------------------------------------------------------------- +# Networking - VPC, IGW, TGW, Subnets, Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref AttackerVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} VPC" + + AttackerIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} IGW" + + AttackerIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref AttackerIGW + VpcId: !Ref AttackerVPC + + AttackerSubnetPrivateAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref AttackerVPC + CidrBlock: !Ref AttackerVPCSubnetPrivateCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Private AZ1" + + AttackerSubnetPublicAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref AttackerVPC + CidrBlock: !Ref AttackerVPCSubnetPublicCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Public AZ1" + + +# ---------------------------------------------------------------------------------------------------------------------- +# NAT Gateways with EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + # AttackerNATGWEIPAZ1: + # Type: AWS::EC2::EIP + # DependsOn: AttackerIGWAttachment + # Properties: + # Domain: vpc + # Tags: + # - Key: Name + # Value: !Sub "${AttackerNamePrefix} EIP" + + AttackerEC2EIP: + Type: AWS::EC2::EIP + DependsOn: AttackerIGWAttachment + Properties: + Domain: vpc + InstanceId: !Ref AttackerEC2Instance + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} EIP" + + # AttackerNATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref AttackerSubnetPublicAZ1 + # AllocationId: !GetAtt AttackerNATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${AttackerNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC Route Tables +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerPrivateRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref AttackerVPC + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Private" + + AttackerPrivateRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref AttackerPrivateRouteTable + SubnetId: !Ref AttackerSubnetPrivateAZ1 + + AttackerPrivateDefaultRoute: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref AttackerPrivateRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref AttackerIGW + + AttackerPublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref AttackerVPC + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Public" + + AttackerPublicRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref AttackerPublicRouteTable + SubnetId: !Ref AttackerSubnetPublicAZ1 + + AttackerPublicDefaultRoute: + Type: AWS::EC2::Route + DependsOn: AttackerIGWAttachment + Properties: + RouteTableId: !Ref AttackerPublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref AttackerIGW + +# ---------------------------------------------------------------------------------------------------------------------- +# Attacker EC2 Instance Resources +# ---------------------------------------------------------------------------------------------------------------------- + + AttackerEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${AttackerNamePrefix}-SG" + GroupDescription: Security group for Attacker + VpcId: !Ref AttackerVPC + SecurityGroupIngress: + - IpProtocol: icmp + FromPort: -1 + ToPort: -1 + CidrIp: 0.0.0.0/0 + - IpProtocol: -1 + FromPort: -1 + ToPort: -1 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SG" + + AttackerEC2Instance: + Type: AWS::EC2::Instance + DependsOn: AttackerIGWAttachment + Properties: + ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID + InstanceType: t2.micro # Enter the desired instance type + KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] + IamInstanceProfile: !Ref AttackerSsmInstanceProfile + NetworkInterfaces: + - PrivateIpAddress: 192.168.10.10 # Enter the desired private IP address + SubnetId: !Ref AttackerSubnetPrivateAZ1 + DeviceIndex: 0 + GroupSet: + - !Ref AttackerEC2SecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + Encrypted: true + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} Instance" + UserData: + Fn::Base64: !Sub + - | + #!/bin/bash + # Install Docker (if not already installed) + sudo yum update -y + sudo amazon-linux-extras install docker -y + sudo service docker start + sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) + + EIP_PUBLIC_IP=${EIP_PUBLIC_IP} + + # Pull and run your Docker container + sudo docker pull migara/att-svr + docker container run -itd --rm --name att-svr -p 8888:8888 -p 1389:1389 -e HOST=${EIP_PUBLIC_IP} -e BEER_STORE_EIP=${FrontendEC2EIP} migara/att-svr + - + # FrontendEIP: + # 'Fn::ImportValue': 'FrontendEIP' + EIP_PUBLIC_IP: "$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)" + + + +# ---------------------------------------------------------------------------------------------------------------------- +# Attacker VPC - SSM Resources +# ---------------------------------------------------------------------------------------------------------------------- + + + # SSM VPC Endpoint + AttackerSsmVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + AttackerSsmMessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + AttackerEc2MessagesVpcEndpoint: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref AttackerVPC + ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" + VpcEndpointType: Interface + PrivateDnsEnabled: True + SubnetIds: + - !Ref AttackerSubnetPrivateAZ1 + SecurityGroupIds: + - !Ref AttackerSsmSecurityGroup + + # Security Group + AttackerSsmSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: !Sub "${AttackerNamePrefix}-ssmendpoint-sg" + VpcId: !Ref AttackerVPC + GroupDescription: Enable SSM traffic to endpoint + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: !Ref AttackerVPCCIDR + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 0 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SSM" + + # SSM Role for EC2 instances + AttackerSsmInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + Path: / + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM + Tags: + - Key: Name + Value: !Sub "${AttackerNamePrefix} SSM" + + # EC2 Instance Profile + AttackerSsmInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref AttackerSsmInstanceRole + + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + FrontendGwlbeAz1: + Description: "The ID of the FrontendGwlbeAz1 VPCEndpoint" + Value: !Ref FrontendGwlbeAz1 + Export: + Name: "FrontendGwlbeAz1" + + FrontendEIP: + Description: EIP of the Beerstore + Value: !GetAtt FrontendEC2EIP.PublicIp + Export: + Name: FrontendEIP + + AttackerEC2InstancePublicIP: + Value: !GetAtt AttackerEC2Instance.PublicIp + Description: Public IP address of AttackerEC2Instance diff --git a/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml new file mode 100644 index 0000000..b04484c --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml @@ -0,0 +1,391 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Root Stack for Jam Challenge with VM-Series and AWS Gateway Load Balancer (GWLB)) + +# ====================================================================================================================== +# Parameters / Mappings +# ====================================================================================================================== + + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: shiva-test-key-pair + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Security VPC CIDR IP Range + SecurityVPCCIDR: + Description: >- + CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) + Type: String + Default: 10.0.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC CIDR IP Range + FrontendVPCCIDR: + Description: >- + CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) + Type: String + Default: 10.1.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Frontend VPC Subnets + FrontendVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.2.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + FrontendVPCSubnetGwlbeCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.1.3.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + +# Data VPC CIDR IP Range + DataVPCCIDR: + Description: >- + CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) + Type: String + Default: 10.2.0.0/16 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Data VPC Subnets + DataVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Data VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.1.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + DataVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.2.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + # AZ1 Subnets CIDRs + + SecurityVPCNATGWSubnetCIDRAZ1: + Description: >- + CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.0.0.0/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCGWLBESubnetCIDRAZ1: + Description: >- + CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) + Type: String + Default: 10.0.0.16/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCTGWSubnetCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.32/28) + Type: String + Default: 10.0.0.32/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + Description: >- + CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) + Type: String + Default: 10.0.0.48/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: aws-jam-challenge-resources + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + + SecurityCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-security.yaml + + VmSeriesCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-vmseries.yaml + + FrontendCftTemplateName: + Type: String + Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath + ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' + Default: aws-panw-gwlb-cfn-combined.yaml + + DataNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources in Data VPC + ConstraintDescription: 'String for naming.' + Default: Beer Store Data + + FrontendNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources in Frontend VPC + ConstraintDescription: 'String for naming.' + Default: Beer Store Frontend + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Naming Prefix + AttackerNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Sneaky Suds + +# Data VPC CIDR IP Range + AttackerVPCCIDR: + Description: >- + CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) + Type: String + Default: 192.168.10.0/23 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + +# Attacker VPC Subnets + AttackerVPCSubnetPrivateCIDRAZ1: + Description: >- + CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.10.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + AttackerVPCSubnetPublicCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 192.168.11.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Shared Parameters" + Parameters: + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + - + Label: + default: "Security VPC Parameters" + Parameters: + - SecurityVPCCIDR + - SecurityVPCNATGWSubnetCIDRAZ1 + - SecurityVPCGWLBESubnetCIDRAZ1 + - SecurityVPCTGWSubnetCIDRAZ1 + - SecurityVPCVMSeriesDataSubnetCIDRAZ1 + - RemoteManagementCIDR + - VMSeriesInstanceType + - SecurityCftTemplateName + - SecurityNamePrefix + - + Label: + default: "Combined VPC Parameters" + Parameters: + - FrontendVPCCIDR + - FrontendVPCSubnetPrivateCIDRAZ1 + - FrontendVPCSubnetPublicCIDRAZ1 + - FrontendVPCSubnetGwlbeCIDRAZ1 + - FrontendCftTemplateName + - FrontendNamePrefix + - DataVPCCIDR + - DataVPCSubnetPrivateCIDRAZ1 + - DataVPCSubnetPublicCIDRAZ1 + - DataCftTemplateName + - DataNamePrefix + - AttackerVPCCIDR + - AttackerVPCSubnetPrivateCIDRAZ1 + - AttackerVPCSubnetPublicCIDRAZ1 + - AttackerCftTemplateName + - AttackerNamePrefix + + ParameterLabels: + SecurityVPCCIDR: + default: "IP CIDR for the Security VPC" + SecurityVPCNATGWSubnetCIDRAZ1: + default: "IP CIDR for NAT GW Subnet in AZ1" + SecurityVPCGWLBESubnetCIDRAZ1: + default: "IP CIDR for GWLB Endpoint in AZ1" + SecurityVPCTGWSubnetCIDRAZ1: + default: "IP CIDR for TGW Attachment in AZ1" + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + default: "IP CIDR for VM-Series Data Plane Interface in AZ1" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + FrontendVPCCIDR: + default: "IP CIDR for the Frontend VPC" + FrontendVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Private Subnet in AZ1" + FrontendVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Public Subnet in AZ1" + FrontendVPCSubnetGwlbeCIDRAZ1: + default: "IP CIDR for GWLB Endpoint Subnet in AZ1" + DataVPCCIDR: + default: "IP CIDR for the Data VPC" + DataVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Data Private Subnet in AZ1" + DataVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Data Public Subnet in AZ1" + SecurityCftTemplateName: + default: "Name of CFN template for Security VPC in S3" + FrontendCftTemplateName: + default: "Name of CFN template for Frontend VPC in S3" + FrontendNamePrefix: + default: "Prefix to be used in naming resrouces in Data / DB VPC" + DataCftTemplateName: + default: "Name of CFN template for Data VPC in S3" + DataNamePrefix: + default: "Prefix to be used in naming resrouces in Data / DB VPC" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + AttackerNamePrefix: + default: "Prefix to be used in naming resrouces in Attacker VPC" + AttackerVPCCIDR: + default: "IP CIDR for the Attacker VPC" + AttackerVPCSubnetPrivateCIDRAZ1: + default: "IP CIDR for Attacker Private Subnet in AZ1" + AttackerVPCSubnetPublicCIDRAZ1: + default: "IP CIDR for Attacker Public Subnet in AZ1" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + + SecurityStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${SecurityCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + SecurityVPCCIDR: !Ref SecurityVPCCIDR + SecurityVPCNATGWSubnetCIDRAZ1: !Ref SecurityVPCNATGWSubnetCIDRAZ1 + SecurityVPCGWLBESubnetCIDRAZ1: !Ref SecurityVPCGWLBESubnetCIDRAZ1 + SecurityVPCTGWSubnetCIDRAZ1: !Ref SecurityVPCTGWSubnetCIDRAZ1 + SecurityVPCVMSeriesDataSubnetCIDRAZ1: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + SourceS3BucketName: !Ref SourceS3BucketName + SourceS3BucketPath: !Ref SourceS3BucketPath + SecurityNamePrefix: !Ref SecurityNamePrefix + + VmSeriesStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + DependsOn: + - SecurityStack + - CombinedStack + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${VmSeriesCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + SourceS3BucketName: !Ref SourceS3BucketName + SourceS3BucketPath: !Ref SourceS3BucketPath + SecurityNamePrefix: !Ref SecurityNamePrefix + + CombinedStack: + Type: AWS::CloudFormation::Stack + DeletionPolicy: Delete + UpdateReplacePolicy: Delete + DependsOn: + - SecurityStack + Properties: + TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${FrontendCftTemplateName}' + Parameters: + KeyName: !Ref KeyName + RemoteManagementCIDR: !Ref RemoteManagementCIDR + FrontendVPCCIDR: !Ref FrontendVPCCIDR + FrontendVPCSubnetPrivateCIDRAZ1: !Ref FrontendVPCSubnetPrivateCIDRAZ1 + FrontendVPCSubnetPublicCIDRAZ1: !Ref FrontendVPCSubnetPublicCIDRAZ1 + FrontendVPCSubnetGwlbeCIDRAZ1: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 + FrontendNamePrefix: !Ref FrontendNamePrefix + DataVPCCIDR: !Ref DataVPCCIDR # Before data stack + DataVPCSubnetPrivateCIDRAZ1: !Ref DataVPCSubnetPrivateCIDRAZ1 # Before data stack + DataVPCSubnetPublicCIDRAZ1: !Ref DataVPCSubnetPublicCIDRAZ1 # Before data stack + DataNamePrefix: !Ref DataNamePrefix # Before data stack + AttackerVPCCIDR: !Ref AttackerVPCCIDR # Before attacker stack + AttackerVPCSubnetPrivateCIDRAZ1: !Ref AttackerVPCSubnetPrivateCIDRAZ1 # Before attacker stack + AttackerVPCSubnetPublicCIDRAZ1: !Ref AttackerVPCSubnetPublicCIDRAZ1 # Before attacker stack + AttackerNamePrefix: !Ref AttackerNamePrefix # Before attacker stack + + + + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName diff --git a/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml new file mode 100644 index 0000000..8a8454b --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml @@ -0,0 +1,706 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + Shared Infrastructure and Security VPC with Gateway Load Balancer. VM-Series resources moved to separate stack due to circular dependency with bootstrap using GWLB endpoints from spokes + +# ====================================================================================================================== +# Parameters / Maapings +# ====================================================================================================================== + +# Updated to 11.0.2-h1 Custom AMIs +Mappings: + PANFWRegionMap: + eu-north-1: + AMI: ami-04527e8b09f7eb406 + eu-west-1: + AMI: ami-0a44de9db9dd95a6c + us-east-1: + AMI: ami-06899917ae226f293 + us-east-2: + AMI: ami-0fd909759c03f961d + us-west-1: + AMI: ami-09dd60214faaafc71 + us-west-2: + AMI: ami-04d4a07840a04301c + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + +# Security VPC CIDR IP Range + SecurityVPCCIDR: + Description: >- + CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) + Type: String + Default: 10.0.0.0/24 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) + + # AZ1 Subnets CIDRs + + SecurityVPCNATGWSubnetCIDRAZ1: + Description: >- + CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) + Type: String + Default: 10.0.0.0/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCGWLBESubnetCIDRAZ1: + Description: >- + CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) + Type: String + Default: 10.0.0.16/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCTGWSubnetCIDRAZ1: + Description: >- + CIDR for TGW Subnet (e.g. 10.0.0.32/28) + Type: String + Default: 10.0.0.32/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + Description: >- + CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) + Type: String + Default: 10.0.0.48/28 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: __source_s3_bucket_name__ + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "Security VPC" + Parameters: + - SecurityVPCCIDR + - SecurityVPCNATGWSubnetCIDRAZ1 + - SecurityVPCGWLBESubnetCIDRAZ1 + - SecurityVPCTGWSubnetCIDRAZ1 + - SecurityVPCVMSeriesDataSubnetCIDRAZ1 + - SecurityNamePrefix + + - + Label: + default: "VM-Series Deployment" + Parameters: + - VMSeriesAMI + - VMSeriesInstanceType + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + + - + Label: + default: "Other Parameters" + Parameters: + - RemoteManagementCIDR + + ParameterLabels: + SecurityVPCCIDR: + default: "IP CIDR for the Security VPC" + SecurityVPCNATGWSubnetCIDRAZ1: + default: "IP CIDR for NAT GW Subnet in AZ1" + SecurityVPCGWLBESubnetCIDRAZ1: + default: "IP CIDR for GWLB Endpoint in AZ1" + SecurityVPCTGWSubnetCIDRAZ1: + default: "IP CIDR for TGW Attachment in AZ1" + SecurityVPCVMSeriesDataSubnetCIDRAZ1: + default: "IP CIDR for VM-Series Data Plane Interface in AZ1" + VMSeriesAMI: + default: "AMI ID of VM-Series" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Transit Gateway and Attachment to Security VPC +# ---------------------------------------------------------------------------------------------------------------------- + +## TODO add defaults associations for spokes (circular dependency, needs lambda) + TransitGateway: + Type: AWS::EC2::TransitGateway + Properties: + Description: Transit Gateway for VPC connectivity + DefaultRouteTableAssociation: disable + DefaultRouteTablePropagation: disable + Tags: + - Key: Name + Value: Transit Gateway + + TGWSpokeRouteTable: + Type: AWS::EC2::TransitGatewayRouteTable + Properties: + Tags: + - Key: Name + Value: Spoke TGW Route Table + TransitGatewayId: !Ref TransitGateway + + TGWSecurityRouteTable: + Type: AWS::EC2::TransitGatewayRouteTable + Properties: + Tags: + - Key: Name + Value: Security TGW Route Table + TransitGatewayId: !Ref TransitGateway + + TGWSecurityAttachment: + Type: AWS::EC2::TransitGatewayAttachment + Properties: + VpcId: !Ref SecurityVPC + SubnetIds: [!Ref TGWSubnetAZ1] + TransitGatewayId: !Ref TransitGateway + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VPC Attachment" + + TGWSecurityAttachmentAssociation: + Type: AWS::EC2::TransitGatewayRouteTableAssociation + Properties: + TransitGatewayAttachmentId: !Ref TGWSecurityAttachment + TransitGatewayRouteTableId: !Ref TGWSecurityRouteTable + + TGWSpokeRouteTableDefaultRoute: + Type: AWS::EC2::TransitGatewayRoute + Properties: + DestinationCidrBlock: 0.0.0.0/0 + TransitGatewayAttachmentId: !Ref TGWSecurityAttachment + TransitGatewayRouteTableId: !Ref TGWSpokeRouteTable + + +# ---------------------------------------------------------------------------------------------------------------------- +# VPC, IGW, and IGW Attachment +# ---------------------------------------------------------------------------------------------------------------------- + + SecurityVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref SecurityVPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VPC" + + SecurityIGW: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} IGW" + + SecurityIGWAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref SecurityIGW + VpcId: !Ref SecurityVPC + + +#----------------------------------------------------------------------------------------------------------------------- +# Subnets +#----------------------------------------------------------------------------------------------------------------------- + + +#Security + NATGWSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCNATGWSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Public" + + TGWSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCTGWSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} TGW Attach" + + GWLBESubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCGWLBESubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" + + VMSeriesDataSubnetAZ1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref SecurityVPC + CidrBlock: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + AvailabilityZone: !Select [ 0, !GetAZs '' ] + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Firewall Data" + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Tables - SecurityVPC - GWLBE +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBERouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" + + # GWLBEDefaultRouteAZ1: + # Type: AWS::EC2::Route + # Properties: + # RouteTableId: !Ref GWLBERouteTableAZ1 + # DestinationCidrBlock: 0.0.0.0/0 + # NatGatewayId: !Ref SecurityIGW + + GWLBERouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBERouteTableAZ1 + SubnetId: !Ref GWLBESubnetAZ1 + + GWLBEClassARouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref GWLBERouteTableAZ1 + DestinationCidrBlock: 10.0.0.0/8 + TransitGatewayId: !Ref TransitGateway + DependsOn: TGWSecurityAttachment + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Tables - SecurityVPC - Nat Gateway +# ---------------------------------------------------------------------------------------------------------------------- + + NATGWRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} Public" + + NATGWDefaultRouteAZ1: + Type: AWS::EC2::Route + DependsOn: SecurityIGWAttachment + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref SecurityIGW + + NATGWClassARouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + DestinationCidrBlock: 10.0.0.0/8 + VpcEndpointId: !Ref GWLBEAZ1 + + NATGWRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NATGWRouteTableAZ1 + SubnetId: !Ref NATGWSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Table - SecurityVPC - TGW +# ---------------------------------------------------------------------------------------------------------------------- + + TGWRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} TGW Attach" + + TGWDefaultRouteAZ1: + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref TGWRouteTableAZ1 + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBEAZ1 + + TGWRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWRouteTableAZ1 + SubnetId: !Ref TGWSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# SecurityVPC - NAT Gateways with EIPs +# ---------------------------------------------------------------------------------------------------------------------- + + # NATGWEIPAZ1: + # Type: AWS::EC2::EIP + # DependsOn: SecurityIGWAttachment + # Properties: + # Domain: vpc + # Tags: + # - Key: Name + # Value: !Sub "${SecurityNamePrefix} NAT GW" + + # NATGWAZ1: + # Type: AWS::EC2::NatGateway + # Properties: + # SubnetId: !Ref NATGWSubnetAZ1 + # AllocationId: !GetAtt NATGWEIPAZ1.AllocationId + # Tags: + # - Key: Name + # Value: !Sub "${SecurityNamePrefix} NAT GW" + +# ---------------------------------------------------------------------------------------------------------------------- +# Route Table - SecurityVPC - Data +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesDataRouteTableAZ1: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref SecurityVPC + Tags: + - Key : Name + Value: !Sub "${SecurityNamePrefix} Firewall Data" + + VMSeriesDataRouteTableAssociationAZ1: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref VMSeriesDataRouteTableAZ1 + SubnetId: !Ref VMSeriesDataSubnetAZ1 + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer +# ---------------------------------------------------------------------------------------------------------------------- + + GWLB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: VMSeries-Gateway-Load-Balancer + Type: gateway + Subnets: [!Ref VMSeriesDataSubnetAZ1] + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: true + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} Gateway Load Balancer" + + # ---------------------------------------------------------------------------------------------------------------------- + # Gateway Load Balancer - VPC Endpoint Service + # ---------------------------------------------------------------------------------------------------------------------- + + GWLBEService: + Type: AWS::EC2::VPCEndpointService + Properties: + GatewayLoadBalancerArns: + - !Ref GWLB + AcceptanceRequired: false + + DescribeGWLBEServiceLambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: root + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: arn:aws:logs:*:*:* + - Effect: Allow + Action: + - ec2:DescribeVpcEndpointServiceConfigurations + - ec2:DescribeVpcEndpointServicePermissions + - ec2:DescribeVpcEndpointServices + Resource: "*" + + DescribeGWLBEService: + Type: AWS::Lambda::Function + Properties: + Handler: "index.handler" + Role: !GetAtt + - DescribeGWLBEServiceLambdaExecutionRole + - Arn + Code: + ZipFile: | + import boto3 + import cfnresponse + import json + import logging + import time + def handler(event, context): + logger = logging.getLogger() + logger.setLevel(logging.INFO) + responseData = {} + responseStatus = cfnresponse.FAILED + logger.info('Received event: {}'.format(json.dumps(event))) + + if event["RequestType"] == "Delete": + responseStatus = cfnresponse.SUCCESS + cfnresponse.send(event, context, responseStatus, responseData) + + if event["RequestType"] == "Create": + try: + VpceServiceId = event["ResourceProperties"]["Input"] + except Exception as e: + logger.info('VPC Endpoint Service Id retrieval failure: {}'.format(e)) + return + + try: + ec2 = boto3.client('ec2') + except Exception as e: + logger.info('boto3.client failure: {}'.format(e)) + return + + start_time = time.time() + elapsed_time = 0 + + while elapsed_time < 890: # Check every minute for up to 10 minutes, default 570 + try: + response = ec2.describe_vpc_endpoint_service_configurations( + Filters=[ + { + 'Name': 'service-id', + 'Values': [VpceServiceId] + } + ] + ) + except Exception as e: + logger.info('ec2.describe_vpc_endpoint_service_configurations failure: {}'.format(e)) + time.sleep(10) # Sleep for one minute before retrying + elapsed_time = time.time() - start_time + continue + + ServiceName = response['ServiceConfigurations'][0]['ServiceName'] + logger.info('service name: {}'.format(ServiceName)) + responseData['Data'] = ServiceName + responseStatus = cfnresponse.SUCCESS + cfnresponse.send(event, context, responseStatus, responseData) + return + + # If we reach this point, it means 10 minutes have passed without success + logger.info('Timed out after 10 minutes') + responseStatus = cfnresponse.FAILED + responseData['Error'] = 'Timed out after 10 minutes' + cfnresponse.send(event, context, responseStatus, responseData) + Runtime: python3.12 + Timeout: 900 #default 900 line 526 =570 before + + GWLBESerivceName: + Type: Custom::DescribeVpcEndpointServiceConfigurations + Properties: + ServiceToken: !GetAtt DescribeGWLBEService.Arn + Input: !Ref GWLBEService + +# ---------------------------------------------------------------------------------------------------------------------- +# Security VPC - Gateway Load Balancer Endpoint +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBEAZ1: + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref SecurityVPC + ServiceName: !GetAtt GWLBESerivceName.Data + VpcEndpointType: GatewayLoadBalancer + SubnetIds: [ !Ref GWLBESubnetAZ1 ] + +# ---------------------------------------------------------------------------------------------------------------------- +# Security VPC - Management & Data Security Group +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Management" + GroupDescription: VM-Series Management Security Group + SecurityGroupIngress: + - CidrIp: !Ref RemoteManagementCIDR + FromPort: 22 + ToPort: 22 + IpProtocol: tcp + - CidrIp: !Ref RemoteManagementCIDR + FromPort: 443 + ToPort: 443 + IpProtocol: tcp + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesDataSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Data" + GroupDescription: VM-Series GWLB Management Security Group + SecurityGroupIngress: + - IpProtocol: udp + FromPort: 6081 + ToPort: 6081 + CidrIp: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 + SecurityGroupEgress: + - IpProtocol: '-1' # All protocols + CidrIp: 0.0.0.0/0 # All IPs + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Data" + + VMSeriesPublicSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref SecurityVPC + GroupName: !Sub "${SecurityNamePrefix} VM-Series Public" + GroupDescription: VM-Series GWLB Data Security Group + SecurityGroupIngress: [] + SecurityGroupEgress: + - IpProtocol: '-1' # All protocols + CidrIp: '0.0.0.0/0' # All IPs + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + GWLBServiceId: + Description: GWLB Service ID for use for additional GWLB Endpoints + Value: !GetAtt GWLBESerivceName.Data + Export: + Name: GWLBServiceId + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName + + TgwId: + Description: The ID of the Transit Gateway + Value: !Ref TransitGateway + Export: + Name: TgwId + + TgwSpokeRouteTableId: + Description: The ID of the Spoke Transit Gateway Route Table + Value: !Ref TGWSpokeRouteTable + Export: + Name: TgwSpokeRouteTableId + + TgwSecurityRouteTableId: + Description: The ID of the Security Transit Gateway Route Table + Value: !Ref TGWSecurityRouteTable + Export: + Name: TgwSecurityRouteTableId + + SecurityVPC: + Description: The ID of the Security VPC + Value: !Ref SecurityVPC + Export: + Name: SecurityVPC + + GWLB: + Description: The ID of the GWLB + Value: !Ref GWLB + Export: + Name: GWLB + + VMSeriesManagementSecurityGroup: + Description: The ID of the VMSeriesManagementSecurityGroup + Value: !Ref VMSeriesManagementSecurityGroup + Export: + Name: VMSeriesManagementSecurityGroup + + NATGWSubnetAZ1: + Description: The ID of the NATGWSubnetAZ1 + Value: !Ref NATGWSubnetAZ1 + Export: + Name: NATGWSubnetAZ1 + + VMSeriesPublicSecurityGroup: + Description: The ID of the VMSeriesPublicSecurityGroup + Value: !Ref VMSeriesPublicSecurityGroup + Export: + Name: VMSeriesPublicSecurityGroup + + VMSeriesDataSecurityGroup: + Description: The ID of the VMSeriesDataSecurityGroup + Value: !Ref VMSeriesDataSecurityGroup + Export: + Name: VMSeriesDataSecurityGroup + + VMSeriesDataSubnetAZ1: + Description: The ID of the VMSeriesDataSubnetAZ1 + Value: !Ref VMSeriesDataSubnetAZ1 + Export: + Name: VMSeriesDataSubnetAZ1 diff --git a/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml new file mode 100644 index 0000000..5ec28bf --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml @@ -0,0 +1,451 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Description: >- + VM-Series Deployment Stack into existing VPC / GWLB. + +# ====================================================================================================================== +# Parameters / Maapings +# ====================================================================================================================== + +# Updated to 11.0.2-h1 Custom AMIs +Mappings: + PANFWRegionMap: + eu-north-1: + AMI: ami-04527e8b09f7eb406 + eu-west-1: + AMI: ami-0a44de9db9dd95a6c + us-east-1: + AMI: ami-06899917ae226f293 + us-east-2: + AMI: ami-0fd909759c03f961d + us-west-1: + AMI: ami-09dd60214faaafc71 + us-west-2: + AMI: ami-04d4a07840a04301c + +Parameters: +# KeyPair Parameter + KeyName: + Type: String + Description: Name of the KeyPair used for EC2 instances + ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' + Default: lab-key-pair + +# Naming Prefix + SecurityNamePrefix: + Type: String + Description: Prefix to be used for naming / tagging resources + ConstraintDescription: 'String for naming.' + Default: Security + +# Management Network CIDR + RemoteManagementCIDR: + Description: >- + Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) + Type: String + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) + ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) + + SourceS3BucketName: + Description: >- + Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure + Type: String + AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ + ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. + Default: __source_s3_bucket_name__ + + SourceS3BucketPath: + Type: String + Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID + ConstraintDescription: 'Must match the Jam Session ID.' + Default: panw-vmseries-gwlb + +# ====================================================================================================================== +# Metadata +# ====================================================================================================================== + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - + Label: + default: "VM-Series Deployment" + Parameters: + - VMSeriesAMI + - VMSeriesInstanceType + - SecurityNamePrefix + - KeyName + - SourceS3BucketName + - SourceS3BucketPath + - RemoteManagementCIDR + + ParameterLabels: + VMSeriesAMI: + default: "AMI ID of VM-Series" + VMSeriesInstanceType: + default: "EC2 Instance Type for VM-Series" + RemoteManagementCIDR: + default: "IP CIDR for Allowed Remote Management of the VM-Series" + SecurityNamePrefix: + default: "Prefix to be used in naming resrouces in Security VPC" + +# ====================================================================================================================== +# Resources +# ====================================================================================================================== + +Resources: + +# ---------------------------------------------------------------------------------------------------------------------- +# Gateway Load Balancer Target Group +# ---------------------------------------------------------------------------------------------------------------------- + + GWLBTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Sub "${SecurityNamePrefix}-VM-Series" + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 80 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !ImportValue SecurityVPC + + TargetType: instance + Targets: + - Id: !Ref VMSeriesInstanceAZ1 + Tags: + - Key: Name + Value: "GWLB VM-Series" + + GWLBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref GWLBTargetGroup + LoadBalancerArn: !ImportValue GWLB + +# ---------------------------------------------------------------------------------------------------------------------- +# VM-Series Bootstrap Resrouces +# ---------------------------------------------------------------------------------------------------------------------- + + BootstrapRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + Policies: + - PolicyName: BootstrapRolePolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: 's3:ListBucket' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref SampleS3Bucket + - Effect: Allow + Action: 's3:GetObject' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref SampleS3Bucket + - /* + BootstrapInstanceProfile: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref BootstrapRole + AWSLambdaExecutionRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Version: 2012-10-17 + Path: / + Policies: + - PolicyDocument: + Statement: + - Action: + - 'logs:CreateLogGroup' + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + Effect: Allow + Resource: 'arn:aws:logs:*:*:*' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-CW' + - PolicyDocument: + Statement: + - Action: + - 's3:PutObject' + - 's3:DeleteObject' + - 's3:List*' + Effect: Allow + Resource: + - !Sub 'arn:aws:s3:::${SampleS3Bucket}/*' + - !Sub 'arn:aws:s3:::${SampleS3Bucket}' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-S3' + - PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + - !Sub 'arn:aws:s3:::${SourceS3BucketName}/*' + Version: 2012-10-17 + PolicyName: !Sub '${AWS::Region}-AWSLambda-S3-Get' + RoleName: !Sub '${AWS::Region}-AWSLambdaExecutionRole' + SampleS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Select + - '2' + - !Split + - / + - !Ref 'AWS::StackId' + + LambdaS3CustomResource: + Type: 'Custom::S3CustomResource' + DependsOn: AWSLambdaExecutionRole + Properties: + ServiceToken: !Ref AWSLambdaFunctionVersion + the_bucket: !Ref SampleS3Bucket + source_bucket: !Ref SourceS3BucketName + source_path: !Ref SourceS3BucketPath + FrontendGwlbeAz1: !ImportValue FrontendGwlbeAz1 + dirs_to_create: + - config + - content + - license + - software + + + AWSLambdaFunctionVersion: + Type: 'AWS::Lambda::Version' + Properties: + FunctionName: !Ref AWSLambdaFunction + + AWSLambdaFunction: + Type: 'AWS::Lambda::Function' + Properties: + Description: Create VM-Series bootstrap bucket from Jam source + FunctionName: !Sub '${AWS::Region}-lambda' + Handler: index.handler + Role: !GetAtt + - AWSLambdaExecutionRole + - Arn + Timeout: 360 + Runtime: python3.12 + Code: + ZipFile: | + import boto3 + import cfnresponse + import textwrap + + def handler(event, context): + # Init ... + the_event = event['RequestType'] + print("The event is: ", str(the_event)) + response_data = {} + s_3 = boto3.client('s3') + + # Retrieve parameters + the_bucket = event['ResourceProperties']['the_bucket'] + dirs_to_create = event['ResourceProperties']['dirs_to_create'] + source_bucket = event['ResourceProperties']['source_bucket'] + source_path = event['ResourceProperties']['source_path'] + frontend_gwlbe_az1 = event['ResourceProperties']['FrontendGwlbeAz1'] + + try: + if the_event in ('Create', 'Update'): + print("Requested folders: ", str(dirs_to_create)) + for dir_name in dirs_to_create: + print("Creating: ", str(dir_name)) + s_3.put_object(Bucket=the_bucket, + Key=(dir_name + + '/')) + s3_copy = boto3.resource('s3') + + # Create init-cfg.txt dynamically + init_cfg_content = textwrap.dedent(f"""\ + type=dhcp-client + hostname=BrewGuardian-NGFW + ip-address= + default-gateway= + netmask= + ipv6-default-gateway= + vm-auth-key= + panorama-server= + panorama-server-2= + tplname= + dgname= + dns-primary=8.8.8.8 + dns-secondary=8.8.4.4 + authcodes= + plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable,aws-gwlb-associate-vpce:{frontend_gwlbe_az1}@ethernet1/1.1 + op-command-modes=jumbo-frame,mgmt-interface-swap + op-cmd-dpdk-pkt-io=on + dhcp-send-hostname=yes + dhcp-send-client-id=yes + dhcp-accept-server-hostname=no + dhcp-accept-server-domain=yes + """) + s_3.put_object(Body=init_cfg_content, Bucket=the_bucket, Key='config/init-cfg.txt') + + copy_source = { + 'Bucket': source_bucket, + 'Key': source_path + '/bootstrap.xml' + } + s3_copy.meta.client.copy(copy_source, str(the_bucket), 'config/bootstrap.xml') + copy_source = { + 'Bucket': source_bucket, + 'Key': source_path + '/authcodes' + } + s3_copy.meta.client.copy(copy_source, str(the_bucket), 'license/authcodes') + elif the_event == 'Delete': + print("Deleting S3 content...") + b_operator = boto3.resource('s3') + b_operator.Bucket(str(the_bucket)).objects.all().delete() + # Everything OK... send the signal back + print("Operation successful!") + cfnresponse.send(event, + context, + cfnresponse.SUCCESS, + response_data) + except Exception as e: + print("Operation failed...") + print(str(e)) + response_data['Data'] = str(e) + cfnresponse.send(event, + context, + cfnresponse.FAILED, + response_data) + +# ---------------------------------------------------------------------------------------------------------------------- +# VM-Series Deployment +# ---------------------------------------------------------------------------------------------------------------------- + + VMSeriesManagementENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series Management + GroupSet: [ !ImportValue VMSeriesManagementSecurityGroup ] + SubnetId: !ImportValue NATGWSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesManagementEIPAZ1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Management" + + VMSeriesManagementEIPAssociationAZ1: + Type: AWS::EC2::EIPAssociation + Properties: + AllocationId: !GetAtt VMSeriesManagementEIPAZ1.AllocationId + NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 + + VMSeriesPublicENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series Public + GroupSet: [ !ImportValue VMSeriesPublicSecurityGroup ] + SubnetId: !ImportValue NATGWSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + VMSeriesPublicEIPAZ1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Public" + + VMSeriesPublicEIPAssociationAZ1: + Type: AWS::EC2::EIPAssociation + Properties: + AllocationId: !GetAtt VMSeriesPublicEIPAZ1.AllocationId + NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 + + VMSeriesDataENIAZ1: + Type: AWS::EC2::NetworkInterface + Properties: + Description: VM-Series GWLB Data - AZ1 + SourceDestCheck: false + GroupSet: [ !ImportValue VMSeriesDataSecurityGroup ] + SubnetId: !ImportValue VMSeriesDataSubnetAZ1 + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series Data" + VMSeriesInstanceAZ1: + Type: AWS::EC2::Instance + UpdateReplacePolicy: Delete + Properties: + DisableApiTermination: false + InstanceInitiatedShutdownBehavior: stop + EbsOptimized: true + ImageId: !FindInMap + - PANFWRegionMap + - !Ref 'AWS::Region' + - AMI + InstanceType: m5.large + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeType: gp2 + DeleteOnTermination: true + VolumeSize: 60 + Encrypted: true + KeyName: !Ref KeyName + Monitoring: false + Tags: + - Key: Name + Value: !Sub "${SecurityNamePrefix} VM-Series" + NetworkInterfaces: + - NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 + DeviceIndex: '1' + - NetworkInterfaceId: !Ref VMSeriesDataENIAZ1 + DeviceIndex: '0' + - NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 + DeviceIndex: '2' + IamInstanceProfile: !Ref BootstrapInstanceProfile + UserData: + Fn::Base64: + Fn::Join: + - ';' + - - "mgmt-interface-swap=enable" + - !Sub "vmseries-bootstrap-aws-s3bucket=${SampleS3Bucket}" + +# ====================================================================================================================== +# Outputs +# ====================================================================================================================== + +Outputs: + + KeyName: + Description: The SSH KeyPair Name + Value: !Ref KeyName diff --git a/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json new file mode 100644 index 0000000..dc94325 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json @@ -0,0 +1,76 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ec2:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "elasticloadbalancing:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudwatch:ListMetrics", + "cloudwatch:GetMetricStatistics", + "cloudwatch:Describe*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "autoscaling:Describe*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteTransitGatewayRoute", + "ec2:DisableTransitGatewayRouteTablePropagation", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:EnableTransitGatewayRouteTablePropagation", + "ec2:ReplaceTransitGatewayRoute", + "ec2:ReplaceRoute" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:ExportTransitGatewayRoutes", + "ec2:GetTransitGatewayRouteTablePropagations", + "ec2:GetTransitGatewayAttachmentPropagations", + "ec2:GetTransitGatewayPrefixListReferences", + "ec2:GetTransitGatewayPolicyTableAssociations", + "ec2:GetSubnetCidrReservations", + "ec2:GetTransitGatewayMulticastDomainAssociations", + "ec2:GetTransitGatewayRouteTableAssociations", + "ec2:GetTransitGatewayPolicyTableEntries", + "ec2:SearchTransitGatewayRoutes" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:GetConnectionStatus", + "ssm:ResumeSession", + "ssm:TerminateSession", + "ssm:StartSession" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ssm:DescribeInstanceInformation", + "ssm:DescribeSessions" + ], + "Resource": "*" + } + ] +} diff --git a/AWS-VMSeries-GWLB-CFT/s3assets/authcodes b/AWS-VMSeries-GWLB-CFT/s3assets/authcodes new file mode 100644 index 0000000..692cff4 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/s3assets/authcodes @@ -0,0 +1 @@ +D6476548 diff --git a/AWS-VMSeries-GWLB-CFT/s3assets/bootstrap.xml b/AWS-VMSeries-GWLB-CFT/s3assets/bootstrap.xml new file mode 100644 index 0000000..ad6fa33 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/s3assets/bootstrap.xml @@ -0,0 +1,1371 @@ + + + + + + $5$orocpecl$7QCjNeKl9wHPVQditT9R5K9Dm1mWFDHgxG96EJiIbe3 + + + yes + + + c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== + + + + + + apiadmin + + + + $5$ufpyldiy$UseRElSc4.exQmd/Pf/vM7jckgnAdj6AgH9lrFAfff7 + + + + + + + + + + + + + yes + 5 + + + yes + 5 + + + yes + 5 + + + yes + 10 + + + yes + 5 + + + + yes + + + + 10 + 10 + + 100 + 50 + + + + 10 + 10 + + 100 + 50 + + + + + + 100 + yes + + + + + + + + + enable + + + + + + + + + c0542737 + c0542737 + Sep 19 22:02:47 2022 GMT + aws-jam-pan + Sep 19 22:02:47 2023 GMT + aws-jam-pan + 1695160967 + yes + aws-jam-pan + -----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUJ80bMPtUHYNIJkYll2z6caWkgUUwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLYXdzLWphbS1wYW4wHhcNMjIwOTE5MjIwMjQ3WhcNMjMw +OTE5MjIwMjQ3WjAWMRQwEgYDVQQDDAthd3MtamFtLXBhbjCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAO3xOHCBI/Osyc5fCzugD32Y+cv/hAeFdPIp5XCY +DPO51oKhfrhBmATnVk6TauN9D9KL2NugMPZZTl9gg+A2XHCsbY/1SZWOl2rd9R8c +1HzFjMWOowA475AH0voDKCM6WoF+BaSs3Yo/V1S4yEYCNk//6DQMq2J27tl58e7X +bKSwF7U1XzDSlZeTdo37suWS3r+19+WbSZ51awZOWWz4Sc3ESrGrEuVPMAc59jon +/bwLwDAbvra9ALrEHKaA2noL5T0OdETtEOxOkECpacvciQZAsQlG4EhN67+ts6fz +Z/OhE1inZsrC9+h1PCTAI6fmEebp3uC2pIO0c9Ug+G1XnDsCAwEAAaM1MDMwDAYD +VR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILcGFuLWphbS1wYW4w +DQYJKoZIhvcNAQELBQADggEBADfxmLLV22oK1bjIFEVrGt9nAdSE3a6EHOfrI4t2 +QxHoPZXzIxEHbO200ioLqKotoZ21/exPv2v+z/6lX8ynqMwSEItQutVjQ6HH4t3/ +Hf7yva+tYfhkrjQSDEAK7N/Ne54F5Oq8rIwXyx8DQ/l7fQWXb9XUVk88o5bpblv9 +NRcGJU6r70Q0MD//9CcOQPihS6shQcsf9NHr3fb6AvLLdFufODhqdo7gYPYefBrV +lkMohz1P26eNZp9mDxrWRJ0sZJeCvw5YMo12cN+hb2ncjdzsYuDlccWk1ItITTRK +RzZTg6F3RhZMOMfm0Co59Zl4otcQYEJXOL9BlJrx8mot+xQ= +-----END CERTIFICATE----- + + RSA + -AQ==8FHErBAt+yHUIudjfdHT0/93eNA=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+s9JXWq/ZS2hGmEWv7PpHog0IiotOjtSqgQ8gyt6wGSTZ92wWzdead3UJuDLwxjTxaxLAW5HiKfBxT9DKMiE1LRv/k7JwRuT3bH97nsbo9mtTT7XmHI0YDN3xxWpHaGwUTc1h6HP7K7mov1n/cJzfBUMXN26UCAGoPwPGYc8nkmuo7jWov60hOnc0IoKufjNlDiX+p7q9YiuytYSvNT7r5wCZWVo8xuc4yX8/u93Lo5qbmAnKqmSP7Af8miYbEz0vucszy4z31nGX44ksyuxm97fJA+gkpV1aSbHFSVMKfmactdDZ93uR7zLvQ+94F/kHfTQj0Ddv+HeAXi24VXk6R9AdsmqY3pfpvrk9mQsaF7+rxbGT/5fjusb5HapWdTHDjofq72f2ldGPzHAFIZ182G/4imfwAm3o4D2heii/zlooVquQ1J1vyNd3pPfa4yzu6XBNnZhBsYj+u7uH1oZ5tXsZfG62ylOCTRJBvVFPqJImGezfQqIC6rwGcMX4Rz+3ni/YDoYRPiJEPZKsl3KMRCDOjht3ZQZm7d0vLHP8RrOyl6YfNx1Q+Y6jE8n+b81vMA5fAawg6zBi7+E6vbQ/0uHP869hh2RWlcxYp4ApeXWVco0b3JoqEn1BthwiRxEdFdvHLIRxdsCIsxI1GAjlr/AmpV5qPjR2X9cuuubeNTn5yfYWj/zVzJRziGXz1fuXodqveeVD/UVXuO4mLKX0fZBCgg7W5qRjSqT3io0VnK4RtGQk8iquCAD0xRowtxVgESxtJi5jc3zhOdcxOMRDo84u047RYGhcynyaU5HMXPDrcaawAloSmSv1nT3B1reJDxPoCZ3uww3vJCu0wpbuFW9aTnnD2ETBbnBet2ZWW0lbcWZEeHQVbOLWay+DrqXEX4DcKyMZEpcTjlYDhKsD3XGlHsIUxwTfliHjCge4w81OFYi3VxJccAlj+IefE8M0jWkTQC05NRtEjOHWaT7bpTPaDsdKiWaOjwFSLuFPUsmtsoTDjQLM48HpjSHXcNgWnSOzwxSClyn4FGMc3AQ+3u9wyk9keyRbecLhv1QIrCzyujVHV07zYmugosDrp4sKfI+eIdu8129VTSIuVAQOqXeU9epu/V5IZfHuRaxB1gW2RmC8cQR7F/l1nUZhD+pHWaiA2bpwe+JicRIT0i8tWPgIpj6zjXS0JNdsh0vyoko1lHZIvmiXLbRs+5ZbCtOQDje6QveJSZ9HEZuAsqpljNMfElt98zFAoUs5r/vb+HrJJKyK6Lpe9S3UZozkLj8ie7WnVCGHhsBVmVeEKbOu/+c8bT+XI9716JhzpGkibhNyQET41c5WgWFQW5GYcfl1M5vgieNvBZoP2RsfuFWVygXUG/WhWQP1dms41uksyAs2tCEoSnvo8X5if/QopzUIc6pjh+73h5h+A11nEN7Oq4WXK0Gy3TsNqU/J3P4n3ZqgwOIIRa4tcRwHbxlaG878Vpt+CRu26K4fBAophZ8x7jBuL2IqKvSPz6fM/kThuF7BXI2dVqsGDtUtXPF5EITl2+6xL8Qz/kLnpg/KqnfEuNsWiMB3xKFrx1ce+HBgOlMAxVY98BNAb2L4a+A6UZyZu/B7BaPsypkuHb/j/bsa3/VRmUQUxvloEH1mw8aSch9OWuBdD7Wp7O0X/d83kCr3w+QBQ5dZNPBklkSfXo2IeAYZdfP8rR/drXIycw6QFK6xwhpBKmr7MgLywuD8BNKcYVqDlOQWAayycl9MzON0c7qOiidEQHcLkr2tMF8aAvQ2hPuoUn1vU+4GlUVb2fSSUdurr3g/nOlhCuaQeGUq47F+myxZTCHuFcuX+x/6s0wCeqYGOQ8t5X9wdtHzIqQHRzBR4dZidAm0CUQuWZT82E1b1vXbUlNc2iOUP5r3Nrg4IDWELIyV0AQ6/JTn+U3Lxn2RcjtI/InAiLIkNY7hh5ZQtGMTHGuqVtT+BdugxFfvf7w/UvycoctcSjqtAgbeqHpw8nJdi6uXTGwEFk5TxHrqO+svmiA2zdiTySwaRbUr4je4L7Qz+xKCfcWdZwEKX7GadAhRXR3f6j0UE8XYTkCnBUOnrEJ/7phEizGvj7+QZLkXr1iw3MACA7JcLc5vYWvBOuoDHYwT6DwYL6kIPSHLvh/OqfTCQEnelrJ3vthkpG8KdmKCT+4sd24MOCuFCRKSXW39fThHotqD5EyWWl + + + 45e914f0 + 45e914f0 + Sep 19 22:14:43 2022 GMT + UNTRUST + Sep 19 22:14:43 2023 GMT + UNTRUST + 1695161683 + yes + UNTRUST + -----BEGIN CERTIFICATE----- +MIICzzCCAbegAwIBAgIUD2I/CdHONbnQiR8Lk9RC6ecwfeswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVU5UUlVTVDAeFw0yMjA5MTkyMjE0NDNaFw0yMzA5MTky +MjE0NDNaMBIxEDAOBgNVBAMMB1VOVFJVU1QwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDTrm1l2N2baQy0A2kH4N2pBhMQ5CE7+ZVdXioXSbUWiX4uAUyG +qCS3N3HW1PknTTR6fmJfGA9kyB5Owni44z+fP2aPhk/7HtvzgFH/WXFLJr82weqo +TLXp7PlmIJ+Q7z5vl/l1RUrfElfVbbjcVFyBFAYmnrmdvIvs+T+G0CSq1xuUz/9V +TSFvw6VPVQgdvaOnSKd9Ix2iTXtjEqIO8tSj9HhxBsfVlnjFQ0635MTx36MCMyb2 +Tar/XbkcIQ5Ap6J/9ZxUgYo4dkf7mQK/gla1vtujYMeKSUFTbj4XUPzykrx8u+iT +GySuZkzZ0MRVetz8ynfLN+10u4AfhFa0H6SHAgMBAAGjHTAbMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQDOTEbWER+bTcr+3CFN +5kUP446dXkNZWMPt2+TEtSF43zN4DlSqtAK7nj3HrD5n5DQjxNePjtt9TNK3y+4B +PPGrkg5DN1aFtbdE79gWh/RHeX1UO2CMG4rsYZFyIk0u+sY9JetLJtI6OY11cy7J +56Ry6PEVopEPPQ+YTEayPKxnFHJ07gBAaBcnhCpizLGyC1NvAZAX+iye3O+S0lSv +4j5m0zfzHYguRC92Ljzt1KuwPE9JnddflMq+2q6zUU9BLvTAuu6awm4eJE3fbWek +j/2KjM33Yzd/ff0qsfEMHmNrQaUZlf21MUDs291Xmrr0NUbjHqEzDQGyKxBU4aCv +Iwyg +-----END CERTIFICATE----- + + RSA + -AQ==TnkwOp9ykV8BjzuoTTgjlA4wiJY=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+tCTDFd/y67HfO+UDdkpWGNPJQPn8jxKN392ZvTnKl2/22S0q+fFI0BCLNIwkJ+aul8x5ebItDj8Wyiu3Qel7t9PWwkHYJ+5BrG0r/MTVe38C1GigdA9AnjQLB+wBnPEmUl9bu4h8EO79rfQUDdIR3DZjVapmSa1OuiRWAYScTyOZZJzQ4Plhjl176lZ4OOj6yXysArHznrtlFWABtH0aVnRx46K24Ci3Z4TuXmHDSJMoxGQgFKs0PJh6ONvVf9jOpb1TDMPQ3PyowXW2tKZD7KzcoKt2JT0Ebg36kEjl4Ab4PRGSTx9YJDE0fNmL2c6SkS+h/RYynMBAtfMlIKpTG74VCrBak5j6CCkb4JNAjlrooV9eJpLU9fB/kaMktrKEEVRLsvDcdAADCJ2Jfp06R4FdBsaLc+MJnH2kEwpRHlId7lxQTH+PFyH8ZJH46hv0MwA5K0rf4QmHdGvDZtEv/4OfY+kl6JipE0EO0vLSPz19tupx7Srs2oWEV5rc/Ma+TGULSpxsn6uLUO48JKF4fk3UMgvuu+N8u7TFxquzb61bXOK12aUUfaicO9H5+RzwMKHLEl/u3lK/2He5fOeO3UYEVc+BjzJL5zF0iDctJVEnqpzPVYSj1fzHJ/B6PJhGJKgepGuQaWWkg/DmhDD/FY6OPt3/jIGMvcgwuQ4i67T6a4kpa7nz8vW6s/+alS/Q9F/Sqefne0gVIRCMYEd2bdK5I5jnPAjS1oApWKJTZCs2R2OFQ2aCu0W5+fwQVBkWxmDFRBrqGKGtQF5yKV80HmfgR7Yz3gvqHxQqquDW6FLzvV6lJfnrtOcaGERgzRcKL1TdIdmoybIkPFU9ppBVhvyRsepIMXE5isDgn7DxO2CgQWHFnn4CKi2GkgVA9Job4G2+7pp/0O5AM43h3eTJSndTwmbjJ2lKRBleGw7QZzGjQ8f+0//pBCUtMOEkmHTfWKWZhm0nVMSq4jkpwGlw+xknZKMOalOvZEh68q4wJnDKUVbJwK1PmNeKHUk1MgXszbEbaps2pmZZGqL2OqD4ZPI5yMtgBd/LPAVY/2yjHJy7Oy45gZfOf2Lb592dh4lQg8yLlr9TiM3N44STAv9SB8YLXkeqlbIH5ovzp7PZBQuAXV3+JLU1b/VHhL/Ra+5AVHaVyLZ/nZo+KWnkiYTtEebkLfQtxmL7JirOGbuGk3hCvGyCcB4LkuiflzOZnXjRjdTjTZGzKonRZA14SkB+8A/Fh7Kg4+UC9ZSVcsNY/G1wI1NzkBXceellfM2hXKEJRwn2hYAVRuy9l0TDPfKRTv6XoQ2Qg09weCWrxo/6+1+dKiToYpZ5oGjGuQiVjPLqyNjWQbKwdfDBj3pcUNAQ6TUy4bmMkzG3u2/aVRnYLR7JxGQITRhtoo975raqpjQB5kRi2YPrvNE2wD3Cr75AMQ2Ed5t+fzNdT4/hnu+rSaDD2QTimzyhuNFAhKLWUfQ+ykH//0gWhWgcQwMRu8KpjjWRfUYQ2B/KgBKWoHpKIXDXCjMbnDrxOmMTmwO4MPfDoyXii2aCYJBCwqsLSJa7RI1raKvcBQB0HuL+MBuxlWH216tU/bPVRtT0Lfvu/Gxr+HF4+55Hx05Fu7wT1IiduhPXW3ZaMbmZmHsM8UNtNrfdhnZi1NoVFZ3juSocAdBlyxg25MBzSf+c0PHEGO0GOuRCbZxDqJIIgce8MVQ5M5WlGRfsDuHtqGk8BcY48DLLr/asoO9yS4H/8Eb+EPBtTqpm1kcrnG1cULtJrgNujqN1kI1yYJzLlU4+6NkizMB4wGZwadCgCGAJ0II5iALt+OlbYAN4dGQoAtJM6bnydhBBWU7hcXAoG1JaJki/9jwNh8o2PfWX8NeblZm9/VFzZjDhrXtDbAgRGnLVQFIpqEG2ZzR78b1ZBRVnnlCGIUQxMpzpY9wlICZ5UyWlCVRpvWvBkdX4fvApveihD5up7LD0kn5bspB9pZ0X6uCuPktvgw3exr0BVq9K5+ixzaKSV07/hKogvx19+DVoB8s+9zSQrYRfQK0DgRu3m1iGNlaBBpCnL5kIhHqkEJHqrntIC/aclKGQDvIZB+VF0M/QxyRVZ2OvzVb77O+9ima3PlAoKLS97Y+xjymqcRKsEmNiHqbAlsq5pTMiTaJ3bMqnivURr7fhGHaD8btkYwjqXeKtFoWjfW5JfFrh3FqRQdBeb/ + + + + + aws-jam-pan + + + UNTRUST + + + + + + + + + + + + + no + + + no + + + + no + + + no + + + no + + + + + + + no + + + + + no + + + no + + + no + + 1 + + + + + + + + + yes + + + no + + + + no + + + no + + + no + + + + + + + + + 3 + 5 + wait-recover + + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + + 8 + + + + + aes-128-cbc + + + sha256 + + + group19 + + + 8 + + + + + aes-256-cbc + + + sha384 + + + group20 + + + 8 + + + + + + + + aes-128-cbc + 3des + + + sha1 + + + group2 + + 1 + + + + + + aes-128-gcm + + + none + + + group19 + + 1 + + + + + + aes-256-gcm + + + none + + + group20 + + 1 + + + + + + + aes-128-cbc + + + sha1 + + + + + + + + + + + + + real-time + + + high + + + high + + + medium + + + medium + + + low + + + low + + + low + + + + + + + + + + + + no + + + 1.25 + 0.5 + 900 + 300 + 900 + yes + + + + + yes + + + + + no + + + no + + + no + + + + ethernet1/1 + ethernet1/1.1 + ethernet1/2 + + + + + + + + + + + + 10.0.0.49 + + + None + + + no + any + 2 + + ethernet1/1 + 10 + 10.0.0.0/8 + + + + + + + no + any + 2 + + + 10.0.0.1 + + + None + + ethernet1/2 + 10 + 0.0.0.0/0 + + + + + + + + + + + + + 10.0.0.99 + 255.255.255.0 + updates.paloaltonetworks.com + + + + + 0 + download-and-install + + + + + US/Pacific + + yes + yes + + 10.0.0.1 + BrewGuardian-NGFW + + + 8.8.8.8 + 8.8.4.4 + + + + + yes + yes + no + yes + + + yes + + + + yes + + + FQDN + + c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== + + + yes + yes + no + yes + + + BrewGuardian-NGFW + 8.8.8.8 + 8.8.4.4 + jumbo-frame,mgmt-interface-swap + + + + + + + + + + + + + ethernet1/2 + + + + + + + ethernet1/1 + + + + + + + ethernet1/1.1 + + + + + + + + + 22 + + + + + + + 221 + + + + + + + 222 + + + + + + + + + + + + any + + + internal + + + Beer Store Data VPC + + + any + + + any + + + any + + + ping + + + application-default + + no + yes + allow + + any + + + any + + + + + external + + + internal + + + Beer Store Data VPC + + + any + + + any + + + any + + + web-browsing + + + application-default + + no + yes + deny + + any + + + any + + + + + Alert + + + alert + + + alert + + + + + + + internal + + + internal + + + Beer Store Frontend VPC + + + Beer Store Data VPC + + + any + + + any + + + ssh + + + any + + no + yes + deny + + any + + + any + + This rule is blocking SSH traffic because they don't need to talk over SSH + + + + Alert + + + alert + + + + + + + external + + + frontend + internal + + + any + + + any + + + any + + + any + + + any + + + any + + yes + yes + allow + + any + + + any + + + + + alert + + + Alert + + + + + + + frontend + + + frontend + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + allow + + + + alert + + + + + + + internal + + + internal + + + any + + + any + + + any + + + any + + + any + + + any + + no + yes + allow + + + + alert + + + + + any + + + any + + + + + any + + + any + + + any + + + any + + + any + + + any + + + ping + + + application-default + + no + yes + allow + + any + + + any + + + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + + any + + yes + yes + deny + + any + + + any + + + + + + + + + + + ethernet1/2 + + + + + external + + + internal + + + any + + + any + + any + ipv4 + + + + + + + allow + no + yes + + + deny + no + yes + + + + + + + + + + + any + + + service-https + + + internal + + + external + + + Beer Store Frontend VPC + + + any + + + any + + + any + + + any + + decrypt + yes + default + yes + + + + + + + + + + + + + + + any + + + critical + + + any + + any + client + any + disable + + + + + + + any + + + high + + + any + + any + client + any + disable + + + + + + + any + + + medium + + + any + + any + client + any + disable + + + + + + + any + + + critical + + + any + + any + server + any + disable + + + + + + + any + + + high + + + any + + any + server + any + disable + + + + + + + any + + + medium + + + any + + any + server + any + disable + + + + + + + + + + WW's profile + + + + + + + + + any + + + any + + + any + + any + any + any + disable + + + + + + + + yes + + + + + medium + + abortion + abused-drugs + adult + gambling + phishing + + + command-and-control + grayware + hacking + malware + questionable + ransomware + weapons + + + + abused-drugs + adult + command-and-control + cryptocurrency + gambling + grayware + hacking + high-risk + malware + medium-risk + newly-registered-domain + phishing + questionable + ransomware + real-time-detection + weapons + + + + + high-risk + medium-risk + newly-registered-domain + cryptocurrency + real-time-detection + artificial-intelligence + + yes + + adult + questionable + abused-drugs + hacking + gambling + weapons + malware + phishing + command-and-control + grayware + ransomware + scanning-activity + + + + + + + + + + + + critical + + any + any + disable + + + + + + + high + + any + any + disable + + + + + + + medium + + any + any + disable + + + + + + + low + + any + any + disable + + + + + + + + + disable + + + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + default + default + disable + + + + + + alert + + + alert + + + alert + + + alert + + + alert + + + + + +
+ + 10.1.0.0/16 + + + 10.2.0.0/16 + + + 10.2.1.100 + +
+ + + + ethernet1/1 + ethernet1/2 + ethernet1/1.1 + + + + + + + + diff --git a/AWS-VMSeries-GWLB-CFT/s3assets/init-cfg.txt b/AWS-VMSeries-GWLB-CFT/s3assets/init-cfg.txt new file mode 100644 index 0000000..9b1bd46 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/s3assets/init-cfg.txt @@ -0,0 +1,20 @@ +type=dhcp-client +hostname=BrewGuardian-NGFW +ip-address= +default-gateway= +netmask= +ipv6-default-gateway= +vm-auth-key= +panorama-server= +panorama-server-2= +tplname= +dgname= +dns-primary=8.8.8.8 +dns-secondary= +authcodes= +op-command-modes=jumbo-frame,mgmt-interface-swap +op-cmd-dpdk-pkt-io=on +dhcp-send-hostname=yes +dhcp-send-client-id=yes +dhcp-accept-server-hostname=no +dhcp-accept-server-domain=yes diff --git a/AWS-VMSeries-GWLB-CFT/sample/samplereadme1.md b/AWS-VMSeries-GWLB-CFT/sample/samplereadme1.md new file mode 100644 index 0000000..5194e01 --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/sample/samplereadme1.md @@ -0,0 +1,81 @@ +The "Hop & Code" owners are convinced that our competitor “Sneaky Suds” is exfiltrating our secret recipes. + +Your Application development team found some very strange behaviour on the Beer Database Server and asked you to have a deeper look into it to figure out what's going on. After some investigations, you realized that no outbound traffic gets analyzed by the Palo Alto Networks Firewall. That's something that we have to fix. + +You started the journey by conducting a comprehensive audit of the existing AWS infrastructure. With a discerning eye, you created a detailed diagram of the AWS environment. You mapped out the route tables of every VPC and the Transit Gateway. + +
+

Full Starting Diagram with Route Tables

+
+ + +## Task + +**Redirect all outbound traffic from the Beer Store Data Database Server to the Palo Alto Networks Firewall** + +1. First, login to the Firewall. (**Helpful Info Section**) + +2. Check the Firewall Monitor traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. ((**Helpful Info Section**) + +3. Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the Transit Gateway.
+
+ +## Task Validation + +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which Application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +- Input the Name of the blocked Application in the answer field to complete the task.
+
+ +## Helpful Info +**To Login into the VM Series Firewall Web UI** +- Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" +- Open a browser window and navigate to https://("Security VM-Series-EIP") +- Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 + +**How to see the Traffic Logs inside the Firewall** +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the Monitor Traffic window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ + +**Login into the Beer Store Data Database Server** +- Use the Session Manager to log into the Server +- The name of the VM is "Beer Store Data Database" + +**How to find the server's private IP?** +- On the AWS Console go to EC2 +- On the EC2 Dashboard click on Instances +- The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall)
+
+ +## Inventory +- Palo Alto Networks NGFW VM-Series +- Amazon EC2 +- Amazon VPC +- AWS Systems Manager (SSM) +- AWS Lambda +- AWS AWS Tranist Gateway +- AWS Gateway Load Balancer
+
+ +## Services You Should Use +- Palo Alto Networks NGFW VM-Series +- Amazon EC2 +- Amazon VPC (Route tables)
diff --git a/AWS-VMSeries-GWLB-CFT/samplereadme.md b/AWS-VMSeries-GWLB-CFT/samplereadme.md new file mode 100644 index 0000000..9ada70f --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/samplereadme.md @@ -0,0 +1,324 @@ +# aws-panw-vmseries-cft-deployment + +This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. + +The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. + +**Duration**: It will take approximately 2 hours to successfully complete this lab. + +**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. + +## Outline + +
+

Full Starting Diagram with Route Tables

+
+ +- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. + + +You can set up this environment in the following way: + +### Rapid S3 Setup + +**Note:** You will need access to AWS CloudShell for this mode of setup. + +1. Login to the AWS Console and change to the region of your choosing. Supported regions are: + - eu-north-1 + - eu-west-1 + - us-east-1 + - us-east-2 + - us-west-1 + - us-west-2 +2. Open AWS CloudShell, wait for the CLI prompt to show up. +3. Clone the github repository. +``` +git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources +``` +4. Run the setup command. +``` +./setup-cft.sh +``` + +Once the script completes execution, you should be able to see the output as shown below. +``` +Setup completed successfully. Please proceed to CFT deployment. +Please use the below Template URL for CFT deployment. +TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml +``` +5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated + + +## Please go through the following cases in order to run the Use Cases + + +## Use Case 1: Inspect outbound traffic using VM Series + +In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: +## Task + +**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: + + 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to + the correct resource + + 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the + following: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in filter by VPC field the "Beer Store Data VPC" + 4. Next, go to route tables and select the "Beer Store Data Private route table" + 5. In the route table click on routes (see below) +
+

+
+ 6. Click Edit routes and do the following changes: + + 1. Remove the route 10.0.0.0/8 -> Target TGW + 2. Change the route 0.0.0.0/0 -> TGW + 3. Click Save + +7. Once you made the changes your route should look like the example below +
+

+
+ +**Step 2**- Now login to the firewall. Go through the following steps: + + - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. + 1. On the AWS Console go to EC2 + 2. On the EC2 Dashboard click on Instances + 3. The following EC2 instances are used by the lab: + - Beer Store Data Database + - Beer Store Frontend Webserver + - Security VM-Series (Palo Alto Networks Firewall) + + + - Open a browser window and navigate to https://("Security VM-Series-EIP") + - Login with the following credentials: + - Username: admin + - Password: Pal0Alt0@123 +
+ +**Step 3**- Now we will do the following steps in order to run the attack: +- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. + - example curl command **sudo curl www.google.de** + - To Login into the Beer Store Data Database Server: + - Use the Session Manager to log into the Server + - The name of the VM is "Beer Store Data Database" + +- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. + +- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
+ Some fields in the example log were removed. +

VPC Logs

+
+ +**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: +- Login into the firewall +- Inside the firewall navigate to Monitor -> Traffic +- See the following picture as an example

Monitor Logs

+- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows +

Monitor Logs

+ +
+
+ +This is the end of first Use Case. +
+ +## Use Case 2: Inspect east-west traffic using VM-Series + +In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: +## Task + +1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** +2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: + +**Step 1**: To make changes in the AWS routing we will do the following: + 1. Login into the AWS console + 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables +
+

+
+ + 3. Select the Spoke TGW Route Table + 4. In the Route table click on Propagations +
+

+
+ + 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. + 6. Your TGW Route table should looks like the following after the deletion +
+

+
+ +**Step 2**: To find the logs inside the "Firewall: Monitor": + 1. Log into the Palo Alto Networks VM-Series Firewall + 2. Go to Monitor -> Traffic +
+

+ +
+ +Note: The attack is being automatically generated. + + 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) +
+

+
+ +**Step 3**: + 1. In the Monitor logs have a look at the column "TO PORT". +
+

+
+ + 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** + + 3. You should be able to see the following Monitor Logs inside the Firewall +

SSH Logs

+
+ +This is the end of second Use Case. +
+ +## Use Case 3: Inspect inbound traffic using VM-Series + +In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: + +## Task + +1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. + +2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: + + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend Public route table + 5. In the route table click on Routes (see below) + +

+ + vi. Click Edit routes and do the following changes: + - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint + - Click Save + + + vii. Once you made the changes your routle should looks like the example below +
+

+
+ +3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step +

Beer Store

+ In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
+

Logs

+ In case you still don't see any traffic logs, check the Internet Edge route table or do the following: + 1. Login into the AWS console + 2. Go to VPC + 3. Select in Filter by VPC field the "Beer Store Frontend VPC" + 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table + 5. In the route table click on Routes (see below) +
+

+
+ 6. Click "Edit routes" and do the following change: + - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint + - Click Save +

+ 7. Once you made the changes your routle should looks like the example below +
+

+
+ +4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. +

alert

+ +5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: + + 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane +

+ + 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open +

+ + 3. On the new window click on "Actions" tab +

+ + 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. +

+ + 5. Change the "Vulnerability Protection" from "alert" to "strict". +

+ + 6. Click "OK", and the window will close automatically. + + 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. +

+ + 8. A new window will open. Here you will have to click on "Commit" button +

+ + 9. Wait for "Status Complete" and "Result Successful" and close the Window +

+ +6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: +

+
+
+ +- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. +
+
+ +This is the end of third Use Case. +
+ +## Summary +We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. + +## Cleanup Steps +Once you have completed the lab successfully, follow the following steps for the cleanup: + +Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: + + 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed +![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) + 2. Click on **Delete** +![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) +**Note**: it will take approximately 10-15 minutes for the stack to get deleted. + 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option +![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) + + + + + +In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps + +**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack + +1. Select the test-CombinedStack +![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) +2. Click on **Delete** +![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) +3. Once the test-CombinedStack is deleted, Select test-SecurityStack +![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) +4. Click on **Delete** +![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) +5. Finally select the test-stack +![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) +6. Click on **Delete** +![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) +7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** +![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) +![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) + + + + + diff --git a/AWS-VMSeries-GWLB-CFT/setup-cft.sh b/AWS-VMSeries-GWLB-CFT/setup-cft.sh new file mode 100644 index 0000000..18b069c --- /dev/null +++ b/AWS-VMSeries-GWLB-CFT/setup-cft.sh @@ -0,0 +1,27 @@ + +S3_BUCKET_NAME="panw-aws-resources-$(uuidgen)" +S3_FOLDER_NAME="panw-vmseries-gwlb/" + +echo "Creating new S3 bucket ${S3_BUCKET_NAME} for sourcing the CFTs" +aws s3 mb s3://${S3_BUCKET_NAME} + +echo "Creating new folder ${S3_FOLDER_NAME} in the S3 bucket" +aws s3api put-object --bucket ${S3_BUCKET_NAME} --key ${S3_FOLDER_NAME} --content-length 0 + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR + +echo "Updating the CFTs with the new S3 bucket name." +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-root.yaml +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-security.yaml +sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-vmseries.yaml + +echo "Starting upload of CFT and bootstrap files to S3 bucket" +aws s3 cp ./vmseries-gwlb-2023/s3-assets/bootstrap.xml s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/s3-assets/init-cfg.txt s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/s3-assets/authcodes s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} +aws s3 cp ./vmseries-gwlb-2023/cloud-formation-templates s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} --recursive + +echo "Setup completed successfully. Please proceed to CFT deployment." +echo "Please use the below Template URL for CFT deployment." +echo "TEMPLATE_URL = https://${S3_BUCKET_NAME}.s3.${AWS_REGION}.amazonaws.com/${S3_FOLDER_NAME}aws-panw-gwlb-cfn-root.yaml" From 921126009e7f7fab9e63909049a51536afae031e Mon Sep 17 00:00:00 2001 From: Nidhi Pandey Date: Tue, 18 Jun 2024 10:25:30 +0530 Subject: [PATCH 5/5] removed old folder --- aws-vmseries-with-gwlbe-CFT/README.md | 323 ---- .../aws-panw-gwlb-cfn-combined.yaml | 1152 -------------- .../aws-panw-gwlb-cfn-root.yaml | 391 ----- .../aws-panw-gwlb-cfn-security.yaml | 706 --------- .../aws-panw-gwlb-cfn-vmseries.yaml | 451 ------ ...ws-panw-vmseries-gwlb-team-iam-policy.json | 76 - .../s3assets/authcodes | 1 - .../s3assets/bootstrap.xml | 1371 ----------------- .../s3assets/init-cfg.txt | 20 - .../sample/samplereadme1.md | 81 - aws-vmseries-with-gwlbe-CFT/samplereadme.md | 324 ---- aws-vmseries-with-gwlbe-CFT/setup-cft.sh | 27 - 12 files changed, 4923 deletions(-) delete mode 100644 aws-vmseries-with-gwlbe-CFT/README.md delete mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml delete mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml delete mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml delete mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml delete mode 100644 aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json delete mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/authcodes delete mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml delete mode 100644 aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt delete mode 100644 aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md delete mode 100644 aws-vmseries-with-gwlbe-CFT/samplereadme.md delete mode 100644 aws-vmseries-with-gwlbe-CFT/setup-cft.sh diff --git a/aws-vmseries-with-gwlbe-CFT/README.md b/aws-vmseries-with-gwlbe-CFT/README.md deleted file mode 100644 index ca25115..0000000 --- a/aws-vmseries-with-gwlbe-CFT/README.md +++ /dev/null @@ -1,323 +0,0 @@ -# aws-panw-vmseries-cft-deployment - -This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. - -The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. - -**Duration**: It will take approximately 2 hours to successfully complete this lab. - -**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. - -## Outline - -
-

Full Starting Diagram with Route Tables

-
- -- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. - - -You can set up this environment in the following way: - -### Rapid S3 Setup - -**Note:** You will need access to AWS CloudShell for this mode of setup. - -1. Login to the AWS Console and change to the region of your choosing. Supported regions are: - - eu-north-1 - - eu-west-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 -2. Open AWS CloudShell, wait for the CLI prompt to show up. -3. Clone the github repository. -``` -git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources -``` -4. Run the setup command. -``` -./setup-cft.sh -``` - -Once the script completes execution, you should be able to see the output as shown below. -``` -Setup completed successfully. Please proceed to CFT deployment. -Please use the below Template URL for CFT deployment. -TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml -``` -5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated - - -## Please go through the following cases in order to run the Use Cases - - -## Use Case 1: Inspect outbound traffic using VM Series - -In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: -## Task - -**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: - - 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to - the correct resource - - 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the - following: - - 1. Login into the AWS console - 2. Go to VPC - 3. Select in filter by VPC field the "Beer Store Data VPC" - 4. Next, go to route tables and select the "Beer Store Data Private route table" - 5. In the route table click on routes (see below) -
-

-
- 6. Click Edit routes and do the following changes: - - 1. Remove the route 10.0.0.0/8 -> Target TGW - 2. Change the route 0.0.0.0/0 -> TGW - 3. Click Save - -7. Once you made the changes your route should look like the example below -
-

-
- -**Step 2**- Now login to the firewall. Go through the following steps: - - - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. - 1. On the AWS Console go to EC2 - 2. On the EC2 Dashboard click on Instances - 3. The following EC2 instances are used by the lab: - - Beer Store Data Database - - Beer Store Frontend Webserver - - Security VM-Series (Palo Alto Networks Firewall) - - - - Open a browser window and navigate to https://("Security VM-Series-EIP") - - Login with the following credentials: - - Username: admin - - Password: Pal0Alt0@123 -
- -**Step 3**- Now we will do the following steps in order to run the attack: -- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. - - example curl command **sudo curl www.google.de** - - To Login into the Beer Store Data Database Server: - - Use the Session Manager to log into the Server - - The name of the VM is "Beer Store Data Database" - -- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. - -- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
- Some fields in the example log were removed. -

VPC Logs

-
- -**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: -- Login into the firewall -- Inside the firewall navigate to Monitor -> Traffic -- See the following picture as an example

Monitor Logs

-- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows -

Monitor Logs

- -
-
- -This is the end of first Use Case. -
- -## Use Case 2: Inspect east-west traffic using VM-Series - -In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: -## Task - -1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** -2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: - -**Step 1**: To make changes in the AWS routing we will do the following: - 1. Login into the AWS console - 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables -
-

-
- - 3. Select the Spoke TGW Route Table - 4. In the Route table click on Propagations -
-

-
- - 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. - 6. Your TGW Route table should looks like the following after the deletion -
-

-
- -**Step 2**: To find the logs inside the "Firewall: Monitor": - 1. Log into the Palo Alto Networks VM-Series Firewall - 2. Go to Monitor -> Traffic -
-

- -
- -Note: The attack is being automatically generated. - - 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) -
-

-
- -**Step 3**: - 1. In the Monitor logs have a look at the column "TO PORT". -
-

-
- - 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** - - 3. You should be able to see the following Monitor Logs inside the Firewall -

SSH Logs

-
- -This is the end of second Use Case. -
- -## Use Case 3: Inspect inbound traffic using VM-Series - -In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: - -## Task - -1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. - -2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: - - 1. Login into the AWS console - 2. Go to VPC - 3. Select in Filter by VPC field the "Beer Store Frontend VPC" - 4. As next go to Route Tables and select the Beer Store Frontend Public route table - 5. In the route table click on Routes (see below) - -

- - vi. Click Edit routes and do the following changes: - - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint - - Click Save - - - vii. Once you made the changes your routle should looks like the example below -
-

-
- -3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step -

Beer Store

- In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
-

Logs

- In case you still don't see any traffic logs, check the Internet Edge route table or do the following: - 1. Login into the AWS console - 2. Go to VPC - 3. Select in Filter by VPC field the "Beer Store Frontend VPC" - 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table - 5. In the route table click on Routes (see below) -
-

-
- 6. Click "Edit routes" and do the following change: - - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint - - Click Save -

- 7. Once you made the changes your routle should looks like the example below -
-

-
- -4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. -

alert

- -5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: - - 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane -

- - 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open -

- - 3. On the new window click on "Actions" tab -

- - 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. -

- - 5. Change the "Vulnerability Protection" from "alert" to "strict". -

- - 6. Click "OK", and the window will close automatically. - - 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. -

- - 8. A new window will open. Here you will have to click on "Commit" button -

- - 9. Wait for "Status Complete" and "Result Successful" and close the Window -

- -6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: -

-
-
- -- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. -
-
- -This is the end of third Use Case. -
- -## Summary -We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. - -## Cleanup Steps -Once you have completed the lab successfully, follow the following steps for the cleanup: - -Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: - - 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed -![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) - 2. Click on **Delete** -![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) -**Note**: it will take approximately 10-15 minutes for the stack to get deleted. - 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option -![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) - - - - - -In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps - -**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack - -1. Select the test-CombinedStack -![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) -2. Click on **Delete** -![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) -3. Once the test-CombinedStack is deleted, Select test-SecurityStack -![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) -4. Click on **Delete** -![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) -5. Finally select the test-stack -![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) -6. Click on **Delete** -![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) -7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** -![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) -![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) - - - - diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml deleted file mode 100644 index 7a4226e..0000000 --- a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-combined.yaml +++ /dev/null @@ -1,1152 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" - -Description: >- - Simulated VPC with public facing web frontend on EC2. Intended for use with demo scenario with VM-Series Deployment with AWS Gateway Load Balancer (GWLB). - -# ====================================================================================================================== -# Parameters -# ====================================================================================================================== - -Parameters: -# KeyPair Parameter - KeyName: - Type: String - Description: Name of the KeyPair used for EC2 instances - ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' - Default: lab-key-pair - -# Naming Prefix - FrontendNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Beer Store Frontend - - DataNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Beer Store Data - - AttackerNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Sneaky Suds - -# Amazon Linux AMI for simulated workload EC2 - LatestAmiId : - Type : 'AWS::SSM::Parameter::Value' - Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' - -# Management Network CIDR - RemoteManagementCIDR: - Description: >- - Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) - Type: String - Default: 0.0.0.0/0 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) - ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) - -# Frontend VPC CIDR IP Range - FrontendVPCCIDR: - Description: >- - CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) - Type: String - Default: 10.1.0.0/16 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Frontend VPC Subnets - FrontendVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for Private Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.1.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - FrontendVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for Public Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.2.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - FrontendVPCSubnetGwlbeCIDRAZ1: - Description: >- - CIDR for GWLB Endpoint Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.3.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) -# DATA -# Data VPC CIDR IP Range - DataVPCCIDR: - Description: >- - CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) - Type: String - Default: 10.2.0.0/16 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Data VPC Subnets - DataVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for Data VM Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.2.1.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - DataVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.2.2.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) -# ATTACKER -# Attacker VPC CIDR IP Range - AttackerVPCCIDR: - Description: >- - CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) - Type: String - Default: 192.168.10.0/23 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Attacker VPC Subnets - AttackerVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 192.168.10.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - AttackerVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 192.168.11.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - -# ====================================================================================================================== -# Metadata -# ====================================================================================================================== - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - - Label: - default: "Frontend Webserver VPC Parameters" - Parameters: - - FrontendVPCCIDR - - FrontendVPCSubnetPrivateCIDRAZ1 - - FrontendVPCSubnetPublicCIDRAZ1 - - FrontendVPCSubnetGwlbeCIDRAZ1 - - FrontendNamePrefix - - DataVPCCIDR - - DataVPCSubnetPrivateCIDRAZ1 - - DataVPCSubnetPublicCIDRAZ1 - - DataNamePrefix - - AttackerVPCCIDR - - AttackerVPCSubnetPrivateCIDRAZ1 - - AttackerVPCSubnetPublicCIDRAZ1 - - AttackerNamePrefix - - - Label: - default: "Other Parameters" - Parameters: - - RemoteManagementCIDR - -# ====================================================================================================================== -# Resources -# ====================================================================================================================== - -Resources: - -# ---------------------------------------------------------------------------------------------------------------------- -# Networking - VPC, IGW, TGW, Subnets, Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - FrontendVPC: - Type: AWS::EC2::VPC - Properties: - EnableDnsSupport: true - EnableDnsHostnames: true - CidrBlock: !Ref FrontendVPCCIDR - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} VPC" - - FrontendIGW: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} IGW" - - FrontendIGWAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref FrontendIGW - VpcId: !Ref FrontendVPC - - FrontendSubnetPrivateAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref FrontendVPC - CidrBlock: !Ref FrontendVPCSubnetPrivateCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Private" - - FrontendSubnetPublicAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref FrontendVPC - CidrBlock: !Ref FrontendVPCSubnetPublicCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Public" - - FrontendSubnetGwlbeAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref FrontendVPC - CidrBlock: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" - -# ---------------------------------------------------------------------------------------------------------------------- -# TGW Attachment -# ---------------------------------------------------------------------------------------------------------------------- - - - FrontendTgwAttachment: - Type: AWS::EC2::TransitGatewayAttachment - Properties: - TransitGatewayId: !ImportValue TgwId - VpcId: !Ref FrontendVPC - SubnetIds: [!Ref FrontendSubnetPrivateAZ1] - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} VPC Attachment" - - FrontendTGWAttachmentAssociation: - Type: AWS::EC2::TransitGatewayRouteTableAssociation - Properties: - TransitGatewayAttachmentId: !Ref FrontendTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId - - FrontendTGWAttachmentPropagationToSecurity: - Type: AWS::EC2::TransitGatewayRouteTablePropagation - Properties: - TransitGatewayAttachmentId: !Ref FrontendTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId - - FrontendTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic - Type: AWS::EC2::TransitGatewayRouteTablePropagation - Properties: - TransitGatewayAttachmentId: !Ref FrontendTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId - -# ---------------------------------------------------------------------------------------------------------------------- -# VPC Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - FrontendPrivateRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref FrontendVPC - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Private" - - FrontendPrivateRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref FrontendPrivateRouteTable - SubnetId: !Ref FrontendSubnetPrivateAZ1 - - FrontendPrivateClassARoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref FrontendPrivateRouteTable - DestinationCidrBlock: 10.0.0.0/8 - TransitGatewayId: !ImportValue TgwId - DependsOn: FrontendTgwAttachment - - FrontendPublicRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref FrontendVPC - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Public" - - FrontendPublicRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref FrontendPublicRouteTable - SubnetId: !Ref FrontendSubnetPublicAZ1 - - FrontendPublicDefaultRoute: - Type: AWS::EC2::Route - DependsOn: FrontendIGWAttachment - Properties: - RouteTableId: !Ref FrontendPublicRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref FrontendIGW - - FrontendPublicClassARoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref FrontendPublicRouteTable - DestinationCidrBlock: 10.0.0.0/8 - TransitGatewayId: !ImportValue TgwId - DependsOn: FrontendTgwAttachment - - FrontendGwlbEndpointRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref FrontendVPC - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} GWLB Endpoint" - - FrontendGwlbEndpointRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref FrontendGwlbEndpointRouteTable - SubnetId: !Ref FrontendSubnetGwlbeAZ1 - - FrontendGwlbEndpointDefaultRoute: - Type: AWS::EC2::Route - DependsOn: FrontendIGWAttachment - Properties: - RouteTableId: !Ref FrontendGwlbEndpointRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref FrontendIGW - - FrontendIgwEdgeRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref FrontendVPC - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} IGW Edge" - - FrontendIgwEdgeRouteTableAssociationAZ1: - Type: AWS::EC2::GatewayRouteTableAssociation - Properties: - RouteTableId: !Ref FrontendIgwEdgeRouteTable - GatewayId: !Ref FrontendIGW - -# ---------------------------------------------------------------------------------------------------------------------- -# Gateway Load Balancer Endpoint -# ---------------------------------------------------------------------------------------------------------------------- - - FrontendGwlbeAz1: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref FrontendVPC - ServiceName: !ImportValue GWLBServiceId - VpcEndpointType: GatewayLoadBalancer - SubnetIds: [ !Ref FrontendSubnetGwlbeAZ1 ] - -# ---------------------------------------------------------------------------------------------------------------------- -# Frontend EC2 Instance Resources -# ---------------------------------------------------------------------------------------------------------------------- - - FrontendEC2EIP: - Type: AWS::EC2::EIP - DependsOn: FrontendIGWAttachment - Properties: - Domain: vpc - InstanceId: !Ref FrontendEC2Instance - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Webserver EIP" - - FrontendEC2SecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${FrontendNamePrefix} Public" - GroupDescription: Security group for FrontendEC2Instance - VpcId: !Ref FrontendVPC - SecurityGroupIngress: - - IpProtocol: icmp - FromPort: -1 - ToPort: -1 - CidrIp: 10.0.0.0/8 - - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: 0.0.0.0/0 - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Public" - - - FrontendEC2Instance: - Type: AWS::EC2::Instance - DependsOn: FrontendIGWAttachment - Properties: - ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID - InstanceType: t2.micro # Enter the desired instance type - KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] - IamInstanceProfile: !Ref FrontendSsmInstanceProfile - NetworkInterfaces: - - PrivateIpAddress: 10.1.2.223 - SubnetId: !Ref FrontendSubnetPublicAZ1 - DeviceIndex: 0 - GroupSet: - - !Ref FrontendEC2SecurityGroup - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: true - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} Webserver" - UserData: - Fn::Base64: | - #!/bin/bash - # Install Docker (if not already installed) - sudo yum update -y - sudo amazon-linux-extras install docker -y - sudo service docker start - sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) - - # Pull and run your Docker container - sudo docker pull migara/vuln-app - sudo docker run -d -p 80:8080 migara/vuln-app - -# ---------------------------------------------------------------------------------------------------------------------- -# Frontend VPC - SSM Resources -# ---------------------------------------------------------------------------------------------------------------------- - - # SSM VPC Endpoint - FrontendSsmVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref FrontendVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref FrontendSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref FrontendSsmSecurityGroup - - FrontendSsmMessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref FrontendVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref FrontendSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref FrontendSsmSecurityGroup - - FrontendEc2MessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref FrontendVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref FrontendSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref FrontendSsmSecurityGroup - - # SSM Security Group - - FrontendSsmSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${FrontendNamePrefix} SSM Endpoint" - GroupDescription: Enable SSM traffic to endpoint - VpcId: !Ref FrontendVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref FrontendVPCCIDR - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} SSM Endpoint" - - # SSM Role for EC2 instances - FrontendSsmInstanceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: ec2.amazonaws.com - Action: sts:AssumeRole - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM - Tags: - - Key: Name - Value: !Sub "${FrontendNamePrefix} SSM" - - # EC2 Instance Profile - FrontendSsmInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Roles: - - !Ref FrontendSsmInstanceRole - -######################################################################################################################### -# ---------------------------------------------------------------------------------------------------------------------- -# Networking - VPC, IGW, TGW, Subnets, Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - DataVPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: !Ref DataVPCCIDR - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} VPC" - - DataIGW: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} IGW" - - DataIGWAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref DataIGW - VpcId: !Ref DataVPC - - DataSubnetPrivateAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref DataVPC - CidrBlock: !Ref DataVPCSubnetPrivateCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Private AZ1" - - DataSubnetPublicAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref DataVPC - CidrBlock: !Ref DataVPCSubnetPublicCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Public AZ1" - - -# ---------------------------------------------------------------------------------------------------------------------- -# TGW Attachment -# ---------------------------------------------------------------------------------------------------------------------- - - DataTgwAttachment: - Type: AWS::EC2::TransitGatewayAttachment - Properties: - TransitGatewayId: !ImportValue TgwId - VpcId: !Ref DataVPC - SubnetIds: [!Ref DataSubnetPrivateAZ1] - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} VPC Attachment" - - DataTGWAttachmentAssociation: - Type: AWS::EC2::TransitGatewayRouteTableAssociation - Properties: - TransitGatewayAttachmentId: !Ref DataTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId - - DataTGWAttachmentPropagationToSecurity: - Type: AWS::EC2::TransitGatewayRouteTablePropagation - Properties: - TransitGatewayAttachmentId: !Ref DataTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSecurityRouteTableId - - DataTGWAttachmentPropagationToSpoke: # Intentional to start with direct E/W Traffic - Type: AWS::EC2::TransitGatewayRouteTablePropagation - Properties: - TransitGatewayAttachmentId: !Ref DataTgwAttachment - TransitGatewayRouteTableId: !ImportValue TgwSpokeRouteTableId - -# ---------------------------------------------------------------------------------------------------------------------- -# EIPs -# ---------------------------------------------------------------------------------------------------------------------- - - DataEIPAZ1: - Type: AWS::EC2::EIP - DependsOn: DataIGWAttachment - Properties: - Domain: vpc - InstanceId: !Ref DataEC2Instance - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Beer Store Data EIP" - - # DataNATGWAZ1: - # Type: AWS::EC2::NatGateway - # Properties: - # SubnetId: !Ref DataSubnetPublicAZ1 - # AllocationId: !GetAtt DataNATGWEIPAZ1.AllocationId - # Tags: - # - Key: Name - # Value: !Sub "${DataNamePrefix} NAT GW" - -# ---------------------------------------------------------------------------------------------------------------------- -# VPC Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - DataPrivateRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref DataVPC - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Private" - - DataPrivateRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref DataPrivateRouteTable - SubnetId: !Ref DataSubnetPrivateAZ1 - - DataPrivateDefaultRoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref DataPrivateRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref DataIGW - - DataPrivateClassARoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref DataPrivateRouteTable - DestinationCidrBlock: 10.0.0.0/8 - TransitGatewayId: !ImportValue TgwId - DependsOn: DataTgwAttachment - - DataPublicRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref DataVPC - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Public" - - DataPublicRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref DataPublicRouteTable - SubnetId: !Ref DataSubnetPublicAZ1 - - DataPublicDefaultRoute: - Type: AWS::EC2::Route - DependsOn: DataIGWAttachment - Properties: - RouteTableId: !Ref DataPublicRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref DataIGW - -# ---------------------------------------------------------------------------------------------------------------------- -# Data EC2 Instance Resources -# ---------------------------------------------------------------------------------------------------------------------- - - DataEC2SecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${DataNamePrefix} Database" - GroupDescription: Security group for Private DB - VpcId: !Ref DataVPC - SecurityGroupIngress: - - IpProtocol: icmp - FromPort: -1 - ToPort: -1 - CidrIp: 10.0.0.0/8 - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 10.1.0.0/16 - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 10.0.0.0/8 - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Database" - - DataEC2Instance: - Type: AWS::EC2::Instance - DependsOn: DataIGWAttachment - Properties: - ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID - InstanceType: t2.micro # Enter the desired instance type - KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] - IamInstanceProfile: !Ref DataSsmInstanceProfile - NetworkInterfaces: - - PrivateIpAddress: 10.2.1.100 # Enter the desired private IP address - SubnetId: !Ref DataSubnetPrivateAZ1 - DeviceIndex: 0 - GroupSet: - - !Ref DataEC2SecurityGroup - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: true - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} Database" - UserData: - Fn::Base64: | - #!/bin/bash - # Install Docker (if not already installed) - sudo yum update -y - sudo amazon-linux-extras install docker -y - sudo service docker start - sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) - - # Pull and run your Docker container - sudo docker pull migara/beer-vault - sudo docker run -d -p 2222:22 migara/beer-vault -# ---------------------------------------------------------------------------------------------------------------------- -# Data VPC - SSM Resources -# ---------------------------------------------------------------------------------------------------------------------- - - - # SSM VPC Endpoint - DataSsmVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref DataVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref DataSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref DataSsmSecurityGroup - - DataSsmMessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref DataVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref DataSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref DataSsmSecurityGroup - - DataEc2MessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref DataVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref DataSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref DataSsmSecurityGroup - - # Security Group - DataSsmSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${DataNamePrefix}-ssmendpoint-sg" - VpcId: !Ref DataVPC - GroupDescription: Enable SSM traffic to endpoint - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref DataVPCCIDR - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} SSM" - - # SSM Role for EC2 instances - DataSsmInstanceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: ec2.amazonaws.com - Action: sts:AssumeRole - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM - Tags: - - Key: Name - Value: !Sub "${DataNamePrefix} SSM" - - # EC2 Instance Profile - DataSsmInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Roles: - - !Ref DataSsmInstanceRole - -######################################################################################################################### - -# ---------------------------------------------------------------------------------------------------------------------- -# Networking - VPC, IGW, TGW, Subnets, Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - AttackerVPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: !Ref AttackerVPCCIDR - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} VPC" - - AttackerIGW: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} IGW" - - AttackerIGWAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref AttackerIGW - VpcId: !Ref AttackerVPC - - AttackerSubnetPrivateAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref AttackerVPC - CidrBlock: !Ref AttackerVPCSubnetPrivateCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} Private AZ1" - - AttackerSubnetPublicAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref AttackerVPC - CidrBlock: !Ref AttackerVPCSubnetPublicCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} Public AZ1" - - -# ---------------------------------------------------------------------------------------------------------------------- -# NAT Gateways with EIPs -# ---------------------------------------------------------------------------------------------------------------------- - - # AttackerNATGWEIPAZ1: - # Type: AWS::EC2::EIP - # DependsOn: AttackerIGWAttachment - # Properties: - # Domain: vpc - # Tags: - # - Key: Name - # Value: !Sub "${AttackerNamePrefix} EIP" - - AttackerEC2EIP: - Type: AWS::EC2::EIP - DependsOn: AttackerIGWAttachment - Properties: - Domain: vpc - InstanceId: !Ref AttackerEC2Instance - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} EIP" - - # AttackerNATGWAZ1: - # Type: AWS::EC2::NatGateway - # Properties: - # SubnetId: !Ref AttackerSubnetPublicAZ1 - # AllocationId: !GetAtt AttackerNATGWEIPAZ1.AllocationId - # Tags: - # - Key: Name - # Value: !Sub "${AttackerNamePrefix} NAT GW" - -# ---------------------------------------------------------------------------------------------------------------------- -# VPC Route Tables -# ---------------------------------------------------------------------------------------------------------------------- - - AttackerPrivateRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref AttackerVPC - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} Private" - - AttackerPrivateRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref AttackerPrivateRouteTable - SubnetId: !Ref AttackerSubnetPrivateAZ1 - - AttackerPrivateDefaultRoute: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref AttackerPrivateRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref AttackerIGW - - AttackerPublicRouteTable: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref AttackerVPC - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} Public" - - AttackerPublicRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref AttackerPublicRouteTable - SubnetId: !Ref AttackerSubnetPublicAZ1 - - AttackerPublicDefaultRoute: - Type: AWS::EC2::Route - DependsOn: AttackerIGWAttachment - Properties: - RouteTableId: !Ref AttackerPublicRouteTable - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref AttackerIGW - -# ---------------------------------------------------------------------------------------------------------------------- -# Attacker EC2 Instance Resources -# ---------------------------------------------------------------------------------------------------------------------- - - AttackerEC2SecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${AttackerNamePrefix}-SG" - GroupDescription: Security group for Attacker - VpcId: !Ref AttackerVPC - SecurityGroupIngress: - - IpProtocol: icmp - FromPort: -1 - ToPort: -1 - CidrIp: 0.0.0.0/0 - - IpProtocol: -1 - FromPort: -1 - ToPort: -1 - CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} SG" - - AttackerEC2Instance: - Type: AWS::EC2::Instance - DependsOn: AttackerIGWAttachment - Properties: - ImageId: !Ref LatestAmiId # Enter the appropriate AMI ID - InstanceType: t2.micro # Enter the desired instance type - KeyName: !Ref KeyName #!Join ['', [!FindInMap [KeyPairMap, qwikLABS, KeyNamePrefix], !Ref 'AWS::AccountId']] - IamInstanceProfile: !Ref AttackerSsmInstanceProfile - NetworkInterfaces: - - PrivateIpAddress: 192.168.10.10 # Enter the desired private IP address - SubnetId: !Ref AttackerSubnetPrivateAZ1 - DeviceIndex: 0 - GroupSet: - - !Ref AttackerEC2SecurityGroup - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - Encrypted: true - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} Instance" - UserData: - Fn::Base64: !Sub - - | - #!/bin/bash - # Install Docker (if not already installed) - sudo yum update -y - sudo amazon-linux-extras install docker -y - sudo service docker start - sudo usermod -aG docker ec2-user # Add the user to the docker group for non-root access (optional) - - EIP_PUBLIC_IP=${EIP_PUBLIC_IP} - - # Pull and run your Docker container - sudo docker pull migara/att-svr - docker container run -itd --rm --name att-svr -p 8888:8888 -p 1389:1389 -e HOST=${EIP_PUBLIC_IP} -e BEER_STORE_EIP=${FrontendEC2EIP} migara/att-svr - - - # FrontendEIP: - # 'Fn::ImportValue': 'FrontendEIP' - EIP_PUBLIC_IP: "$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)" - - - -# ---------------------------------------------------------------------------------------------------------------------- -# Attacker VPC - SSM Resources -# ---------------------------------------------------------------------------------------------------------------------- - - - # SSM VPC Endpoint - AttackerSsmVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref AttackerVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref AttackerSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref AttackerSsmSecurityGroup - - AttackerSsmMessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref AttackerVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref AttackerSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref AttackerSsmSecurityGroup - - AttackerEc2MessagesVpcEndpoint: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref AttackerVPC - ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages" - VpcEndpointType: Interface - PrivateDnsEnabled: True - SubnetIds: - - !Ref AttackerSubnetPrivateAZ1 - SecurityGroupIds: - - !Ref AttackerSsmSecurityGroup - - # Security Group - AttackerSsmSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupName: !Sub "${AttackerNamePrefix}-ssmendpoint-sg" - VpcId: !Ref AttackerVPC - GroupDescription: Enable SSM traffic to endpoint - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - CidrIp: !Ref AttackerVPCCIDR - SecurityGroupEgress: - - IpProtocol: -1 - FromPort: 0 - ToPort: 0 - CidrIp: 0.0.0.0/0 - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} SSM" - - # SSM Role for EC2 instances - AttackerSsmInstanceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Principal: - Service: ec2.amazonaws.com - Action: sts:AssumeRole - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM - Tags: - - Key: Name - Value: !Sub "${AttackerNamePrefix} SSM" - - # EC2 Instance Profile - AttackerSsmInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Roles: - - !Ref AttackerSsmInstanceRole - - - -# ====================================================================================================================== -# Outputs -# ====================================================================================================================== - -Outputs: - FrontendGwlbeAz1: - Description: "The ID of the FrontendGwlbeAz1 VPCEndpoint" - Value: !Ref FrontendGwlbeAz1 - Export: - Name: "FrontendGwlbeAz1" - - FrontendEIP: - Description: EIP of the Beerstore - Value: !GetAtt FrontendEC2EIP.PublicIp - Export: - Name: FrontendEIP - - AttackerEC2InstancePublicIP: - Value: !GetAtt AttackerEC2Instance.PublicIp - Description: Public IP address of AttackerEC2Instance diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml deleted file mode 100644 index b04484c..0000000 --- a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-root.yaml +++ /dev/null @@ -1,391 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" - -Description: >- - Root Stack for Jam Challenge with VM-Series and AWS Gateway Load Balancer (GWLB)) - -# ====================================================================================================================== -# Parameters / Mappings -# ====================================================================================================================== - - -Parameters: -# KeyPair Parameter - KeyName: - Type: String - Description: Name of the KeyPair used for EC2 instances - ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' - Default: shiva-test-key-pair - -# Management Network CIDR - RemoteManagementCIDR: - Description: >- - Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) - Type: String - Default: 0.0.0.0/0 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) - ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) - -# Security VPC CIDR IP Range - SecurityVPCCIDR: - Description: >- - CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) - Type: String - Default: 10.0.0.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Frontend VPC CIDR IP Range - FrontendVPCCIDR: - Description: >- - CIDR Address Range for FrontendVPC (e.g. 10.1.0.0/16) - Type: String - Default: 10.1.0.0/16 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Frontend VPC Subnets - FrontendVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for VM Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.1.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - FrontendVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.2.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - FrontendVPCSubnetGwlbeCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.1.3.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - -# Data VPC CIDR IP Range - DataVPCCIDR: - Description: >- - CIDR Address Range for DataVPC (e.g. 10.2.0.0/16) - Type: String - Default: 10.2.0.0/16 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Data VPC Subnets - DataVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for Data VM Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.2.1.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - DataVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.2.0.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - # AZ1 Subnets CIDRs - - SecurityVPCNATGWSubnetCIDRAZ1: - Description: >- - CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.0.0.0/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCGWLBESubnetCIDRAZ1: - Description: >- - CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) - Type: String - Default: 10.0.0.16/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCTGWSubnetCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.32/28) - Type: String - Default: 10.0.0.32/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCVMSeriesDataSubnetCIDRAZ1: - Description: >- - CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) - Type: String - Default: 10.0.0.48/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SourceS3BucketName: - Description: >- - Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure - Type: String - AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ - ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. - Default: aws-jam-challenge-resources - - SourceS3BucketPath: - Type: String - Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID - ConstraintDescription: 'Must match the Jam Session ID.' - Default: panw-vmseries-gwlb - - SecurityCftTemplateName: - Type: String - Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath - ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' - Default: aws-panw-gwlb-cfn-security.yaml - - VmSeriesCftTemplateName: - Type: String - Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath - ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' - Default: aws-panw-gwlb-cfn-vmseries.yaml - - FrontendCftTemplateName: - Type: String - Description: Object name including file extension of CFN template in S3 bucket. Will be concatenated with SourceS3BucketName and SourceS3BucketPath - ConstraintDescription: 'CFN template file name only. Dont include bucket name or path' - Default: aws-panw-gwlb-cfn-combined.yaml - - DataNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources in Data VPC - ConstraintDescription: 'String for naming.' - Default: Beer Store Data - - FrontendNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources in Frontend VPC - ConstraintDescription: 'String for naming.' - Default: Beer Store Frontend - -# Naming Prefix - SecurityNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Security - -# Naming Prefix - AttackerNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Sneaky Suds - -# Data VPC CIDR IP Range - AttackerVPCCIDR: - Description: >- - CIDR Address Range for AttackerVPC (e.g. 10.2.0.0/16) - Type: String - Default: 192.168.10.0/23 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - -# Attacker VPC Subnets - AttackerVPCSubnetPrivateCIDRAZ1: - Description: >- - CIDR for Attacker VM Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 192.168.10.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - AttackerVPCSubnetPublicCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 192.168.11.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - -# ====================================================================================================================== -# Metadata -# ====================================================================================================================== - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - - Label: - default: "Shared Parameters" - Parameters: - - KeyName - - SourceS3BucketName - - SourceS3BucketPath - - - Label: - default: "Security VPC Parameters" - Parameters: - - SecurityVPCCIDR - - SecurityVPCNATGWSubnetCIDRAZ1 - - SecurityVPCGWLBESubnetCIDRAZ1 - - SecurityVPCTGWSubnetCIDRAZ1 - - SecurityVPCVMSeriesDataSubnetCIDRAZ1 - - RemoteManagementCIDR - - VMSeriesInstanceType - - SecurityCftTemplateName - - SecurityNamePrefix - - - Label: - default: "Combined VPC Parameters" - Parameters: - - FrontendVPCCIDR - - FrontendVPCSubnetPrivateCIDRAZ1 - - FrontendVPCSubnetPublicCIDRAZ1 - - FrontendVPCSubnetGwlbeCIDRAZ1 - - FrontendCftTemplateName - - FrontendNamePrefix - - DataVPCCIDR - - DataVPCSubnetPrivateCIDRAZ1 - - DataVPCSubnetPublicCIDRAZ1 - - DataCftTemplateName - - DataNamePrefix - - AttackerVPCCIDR - - AttackerVPCSubnetPrivateCIDRAZ1 - - AttackerVPCSubnetPublicCIDRAZ1 - - AttackerCftTemplateName - - AttackerNamePrefix - - ParameterLabels: - SecurityVPCCIDR: - default: "IP CIDR for the Security VPC" - SecurityVPCNATGWSubnetCIDRAZ1: - default: "IP CIDR for NAT GW Subnet in AZ1" - SecurityVPCGWLBESubnetCIDRAZ1: - default: "IP CIDR for GWLB Endpoint in AZ1" - SecurityVPCTGWSubnetCIDRAZ1: - default: "IP CIDR for TGW Attachment in AZ1" - SecurityVPCVMSeriesDataSubnetCIDRAZ1: - default: "IP CIDR for VM-Series Data Plane Interface in AZ1" - VMSeriesInstanceType: - default: "EC2 Instance Type for VM-Series" - RemoteManagementCIDR: - default: "IP CIDR for Allowed Remote Management of the VM-Series" - FrontendVPCCIDR: - default: "IP CIDR for the Frontend VPC" - FrontendVPCSubnetPrivateCIDRAZ1: - default: "IP CIDR for Private Subnet in AZ1" - FrontendVPCSubnetPublicCIDRAZ1: - default: "IP CIDR for Public Subnet in AZ1" - FrontendVPCSubnetGwlbeCIDRAZ1: - default: "IP CIDR for GWLB Endpoint Subnet in AZ1" - DataVPCCIDR: - default: "IP CIDR for the Data VPC" - DataVPCSubnetPrivateCIDRAZ1: - default: "IP CIDR for Data Private Subnet in AZ1" - DataVPCSubnetPublicCIDRAZ1: - default: "IP CIDR for Data Public Subnet in AZ1" - SecurityCftTemplateName: - default: "Name of CFN template for Security VPC in S3" - FrontendCftTemplateName: - default: "Name of CFN template for Frontend VPC in S3" - FrontendNamePrefix: - default: "Prefix to be used in naming resrouces in Data / DB VPC" - DataCftTemplateName: - default: "Name of CFN template for Data VPC in S3" - DataNamePrefix: - default: "Prefix to be used in naming resrouces in Data / DB VPC" - SecurityNamePrefix: - default: "Prefix to be used in naming resrouces in Security VPC" - AttackerNamePrefix: - default: "Prefix to be used in naming resrouces in Attacker VPC" - AttackerVPCCIDR: - default: "IP CIDR for the Attacker VPC" - AttackerVPCSubnetPrivateCIDRAZ1: - default: "IP CIDR for Attacker Private Subnet in AZ1" - AttackerVPCSubnetPublicCIDRAZ1: - default: "IP CIDR for Attacker Public Subnet in AZ1" - -# ====================================================================================================================== -# Resources -# ====================================================================================================================== - -Resources: - - SecurityStack: - Type: AWS::CloudFormation::Stack - DeletionPolicy: Delete - UpdateReplacePolicy: Delete - Properties: - TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${SecurityCftTemplateName}' - Parameters: - KeyName: !Ref KeyName - RemoteManagementCIDR: !Ref RemoteManagementCIDR - SecurityVPCCIDR: !Ref SecurityVPCCIDR - SecurityVPCNATGWSubnetCIDRAZ1: !Ref SecurityVPCNATGWSubnetCIDRAZ1 - SecurityVPCGWLBESubnetCIDRAZ1: !Ref SecurityVPCGWLBESubnetCIDRAZ1 - SecurityVPCTGWSubnetCIDRAZ1: !Ref SecurityVPCTGWSubnetCIDRAZ1 - SecurityVPCVMSeriesDataSubnetCIDRAZ1: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 - SourceS3BucketName: !Ref SourceS3BucketName - SourceS3BucketPath: !Ref SourceS3BucketPath - SecurityNamePrefix: !Ref SecurityNamePrefix - - VmSeriesStack: - Type: AWS::CloudFormation::Stack - DeletionPolicy: Delete - UpdateReplacePolicy: Delete - DependsOn: - - SecurityStack - - CombinedStack - Properties: - TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${VmSeriesCftTemplateName}' - Parameters: - KeyName: !Ref KeyName - RemoteManagementCIDR: !Ref RemoteManagementCIDR - SourceS3BucketName: !Ref SourceS3BucketName - SourceS3BucketPath: !Ref SourceS3BucketPath - SecurityNamePrefix: !Ref SecurityNamePrefix - - CombinedStack: - Type: AWS::CloudFormation::Stack - DeletionPolicy: Delete - UpdateReplacePolicy: Delete - DependsOn: - - SecurityStack - Properties: - TemplateURL: !Sub 'https://${SourceS3BucketName}.s3.amazonaws.com/${SourceS3BucketPath}/${FrontendCftTemplateName}' - Parameters: - KeyName: !Ref KeyName - RemoteManagementCIDR: !Ref RemoteManagementCIDR - FrontendVPCCIDR: !Ref FrontendVPCCIDR - FrontendVPCSubnetPrivateCIDRAZ1: !Ref FrontendVPCSubnetPrivateCIDRAZ1 - FrontendVPCSubnetPublicCIDRAZ1: !Ref FrontendVPCSubnetPublicCIDRAZ1 - FrontendVPCSubnetGwlbeCIDRAZ1: !Ref FrontendVPCSubnetGwlbeCIDRAZ1 - FrontendNamePrefix: !Ref FrontendNamePrefix - DataVPCCIDR: !Ref DataVPCCIDR # Before data stack - DataVPCSubnetPrivateCIDRAZ1: !Ref DataVPCSubnetPrivateCIDRAZ1 # Before data stack - DataVPCSubnetPublicCIDRAZ1: !Ref DataVPCSubnetPublicCIDRAZ1 # Before data stack - DataNamePrefix: !Ref DataNamePrefix # Before data stack - AttackerVPCCIDR: !Ref AttackerVPCCIDR # Before attacker stack - AttackerVPCSubnetPrivateCIDRAZ1: !Ref AttackerVPCSubnetPrivateCIDRAZ1 # Before attacker stack - AttackerVPCSubnetPublicCIDRAZ1: !Ref AttackerVPCSubnetPublicCIDRAZ1 # Before attacker stack - AttackerNamePrefix: !Ref AttackerNamePrefix # Before attacker stack - - - - - -# ====================================================================================================================== -# Outputs -# ====================================================================================================================== - -Outputs: - - KeyName: - Description: The SSH KeyPair Name - Value: !Ref KeyName diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml deleted file mode 100644 index 8a8454b..0000000 --- a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-security.yaml +++ /dev/null @@ -1,706 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" - -Description: >- - Shared Infrastructure and Security VPC with Gateway Load Balancer. VM-Series resources moved to separate stack due to circular dependency with bootstrap using GWLB endpoints from spokes - -# ====================================================================================================================== -# Parameters / Maapings -# ====================================================================================================================== - -# Updated to 11.0.2-h1 Custom AMIs -Mappings: - PANFWRegionMap: - eu-north-1: - AMI: ami-04527e8b09f7eb406 - eu-west-1: - AMI: ami-0a44de9db9dd95a6c - us-east-1: - AMI: ami-06899917ae226f293 - us-east-2: - AMI: ami-0fd909759c03f961d - us-west-1: - AMI: ami-09dd60214faaafc71 - us-west-2: - AMI: ami-04d4a07840a04301c - -Parameters: -# KeyPair Parameter - KeyName: - Type: String - Description: Name of the KeyPair used for EC2 instances - ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' - Default: lab-key-pair - -# Naming Prefix - SecurityNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Security - -# Management Network CIDR - RemoteManagementCIDR: - Description: >- - Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) - Type: String - Default: 0.0.0.0/0 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) - ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) - -# Security VPC CIDR IP Range - SecurityVPCCIDR: - Description: >- - CIDR Address Range for SecurityVPC (e.g. 10.0.0.0/24) - Type: String - Default: 10.0.0.0/24 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/25) - - # AZ1 Subnets CIDRs - - SecurityVPCNATGWSubnetCIDRAZ1: - Description: >- - CIDR for NAT Gateway Subnet (e.g. 10.0.0.0/28) - Type: String - Default: 10.0.0.0/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCGWLBESubnetCIDRAZ1: - Description: >- - CIDR for GWLBE Subnet (e.g. 10.0.0.16/28) - Type: String - Default: 10.0.0.16/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCTGWSubnetCIDRAZ1: - Description: >- - CIDR for TGW Subnet (e.g. 10.0.0.32/28) - Type: String - Default: 10.0.0.32/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SecurityVPCVMSeriesDataSubnetCIDRAZ1: - Description: >- - CIDR for VMSeries Data Subnet (e.g. 10.0.0.48/28) - Type: String - Default: 10.0.0.48/28 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: Must be in a CIDR (e.g. 192.168.0.0/28) - - SourceS3BucketName: - Description: >- - Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure - Type: String - AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ - ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. - Default: __source_s3_bucket_name__ - - SourceS3BucketPath: - Type: String - Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID - ConstraintDescription: 'Must match the Jam Session ID.' - Default: panw-vmseries-gwlb - -# ====================================================================================================================== -# Metadata -# ====================================================================================================================== - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - - Label: - default: "Security VPC" - Parameters: - - SecurityVPCCIDR - - SecurityVPCNATGWSubnetCIDRAZ1 - - SecurityVPCGWLBESubnetCIDRAZ1 - - SecurityVPCTGWSubnetCIDRAZ1 - - SecurityVPCVMSeriesDataSubnetCIDRAZ1 - - SecurityNamePrefix - - - - Label: - default: "VM-Series Deployment" - Parameters: - - VMSeriesAMI - - VMSeriesInstanceType - - KeyName - - SourceS3BucketName - - SourceS3BucketPath - - - - Label: - default: "Other Parameters" - Parameters: - - RemoteManagementCIDR - - ParameterLabels: - SecurityVPCCIDR: - default: "IP CIDR for the Security VPC" - SecurityVPCNATGWSubnetCIDRAZ1: - default: "IP CIDR for NAT GW Subnet in AZ1" - SecurityVPCGWLBESubnetCIDRAZ1: - default: "IP CIDR for GWLB Endpoint in AZ1" - SecurityVPCTGWSubnetCIDRAZ1: - default: "IP CIDR for TGW Attachment in AZ1" - SecurityVPCVMSeriesDataSubnetCIDRAZ1: - default: "IP CIDR for VM-Series Data Plane Interface in AZ1" - VMSeriesAMI: - default: "AMI ID of VM-Series" - VMSeriesInstanceType: - default: "EC2 Instance Type for VM-Series" - RemoteManagementCIDR: - default: "IP CIDR for Allowed Remote Management of the VM-Series" - SecurityNamePrefix: - default: "Prefix to be used in naming resrouces in Security VPC" - -# ====================================================================================================================== -# Resources -# ====================================================================================================================== - -Resources: - -# ---------------------------------------------------------------------------------------------------------------------- -# Transit Gateway and Attachment to Security VPC -# ---------------------------------------------------------------------------------------------------------------------- - -## TODO add defaults associations for spokes (circular dependency, needs lambda) - TransitGateway: - Type: AWS::EC2::TransitGateway - Properties: - Description: Transit Gateway for VPC connectivity - DefaultRouteTableAssociation: disable - DefaultRouteTablePropagation: disable - Tags: - - Key: Name - Value: Transit Gateway - - TGWSpokeRouteTable: - Type: AWS::EC2::TransitGatewayRouteTable - Properties: - Tags: - - Key: Name - Value: Spoke TGW Route Table - TransitGatewayId: !Ref TransitGateway - - TGWSecurityRouteTable: - Type: AWS::EC2::TransitGatewayRouteTable - Properties: - Tags: - - Key: Name - Value: Security TGW Route Table - TransitGatewayId: !Ref TransitGateway - - TGWSecurityAttachment: - Type: AWS::EC2::TransitGatewayAttachment - Properties: - VpcId: !Ref SecurityVPC - SubnetIds: [!Ref TGWSubnetAZ1] - TransitGatewayId: !Ref TransitGateway - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VPC Attachment" - - TGWSecurityAttachmentAssociation: - Type: AWS::EC2::TransitGatewayRouteTableAssociation - Properties: - TransitGatewayAttachmentId: !Ref TGWSecurityAttachment - TransitGatewayRouteTableId: !Ref TGWSecurityRouteTable - - TGWSpokeRouteTableDefaultRoute: - Type: AWS::EC2::TransitGatewayRoute - Properties: - DestinationCidrBlock: 0.0.0.0/0 - TransitGatewayAttachmentId: !Ref TGWSecurityAttachment - TransitGatewayRouteTableId: !Ref TGWSpokeRouteTable - - -# ---------------------------------------------------------------------------------------------------------------------- -# VPC, IGW, and IGW Attachment -# ---------------------------------------------------------------------------------------------------------------------- - - SecurityVPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: !Ref SecurityVPCCIDR - EnableDnsSupport: true - EnableDnsHostnames: true - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VPC" - - SecurityIGW: - Type: AWS::EC2::InternetGateway - Properties: - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} IGW" - - SecurityIGWAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref SecurityIGW - VpcId: !Ref SecurityVPC - - -#----------------------------------------------------------------------------------------------------------------------- -# Subnets -#----------------------------------------------------------------------------------------------------------------------- - - -#Security - NATGWSubnetAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref SecurityVPC - CidrBlock: !Ref SecurityVPCNATGWSubnetCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} Public" - - TGWSubnetAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref SecurityVPC - CidrBlock: !Ref SecurityVPCTGWSubnetCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} TGW Attach" - - GWLBESubnetAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref SecurityVPC - CidrBlock: !Ref SecurityVPCGWLBESubnetCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" - - VMSeriesDataSubnetAZ1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref SecurityVPC - CidrBlock: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 - AvailabilityZone: !Select [ 0, !GetAZs '' ] - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} Firewall Data" - -# ---------------------------------------------------------------------------------------------------------------------- -# Route Tables - SecurityVPC - GWLBE -# ---------------------------------------------------------------------------------------------------------------------- - - GWLBERouteTableAZ1: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref SecurityVPC - Tags: - - Key : Name - Value: !Sub "${SecurityNamePrefix} GWLB Endpoint" - - # GWLBEDefaultRouteAZ1: - # Type: AWS::EC2::Route - # Properties: - # RouteTableId: !Ref GWLBERouteTableAZ1 - # DestinationCidrBlock: 0.0.0.0/0 - # NatGatewayId: !Ref SecurityIGW - - GWLBERouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref GWLBERouteTableAZ1 - SubnetId: !Ref GWLBESubnetAZ1 - - GWLBEClassARouteAZ1: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref GWLBERouteTableAZ1 - DestinationCidrBlock: 10.0.0.0/8 - TransitGatewayId: !Ref TransitGateway - DependsOn: TGWSecurityAttachment - -# ---------------------------------------------------------------------------------------------------------------------- -# Route Tables - SecurityVPC - Nat Gateway -# ---------------------------------------------------------------------------------------------------------------------- - - NATGWRouteTableAZ1: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref SecurityVPC - Tags: - - Key : Name - Value: !Sub "${SecurityNamePrefix} Public" - - NATGWDefaultRouteAZ1: - Type: AWS::EC2::Route - DependsOn: SecurityIGWAttachment - Properties: - RouteTableId: !Ref NATGWRouteTableAZ1 - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: !Ref SecurityIGW - - NATGWClassARouteAZ1: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref NATGWRouteTableAZ1 - DestinationCidrBlock: 10.0.0.0/8 - VpcEndpointId: !Ref GWLBEAZ1 - - NATGWRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref NATGWRouteTableAZ1 - SubnetId: !Ref NATGWSubnetAZ1 - -# ---------------------------------------------------------------------------------------------------------------------- -# Route Table - SecurityVPC - TGW -# ---------------------------------------------------------------------------------------------------------------------- - - TGWRouteTableAZ1: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref SecurityVPC - Tags: - - Key : Name - Value: !Sub "${SecurityNamePrefix} TGW Attach" - - TGWDefaultRouteAZ1: - Type: AWS::EC2::Route - Properties: - RouteTableId: !Ref TGWRouteTableAZ1 - DestinationCidrBlock: 0.0.0.0/0 - VpcEndpointId: !Ref GWLBEAZ1 - - TGWRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref TGWRouteTableAZ1 - SubnetId: !Ref TGWSubnetAZ1 - -# ---------------------------------------------------------------------------------------------------------------------- -# SecurityVPC - NAT Gateways with EIPs -# ---------------------------------------------------------------------------------------------------------------------- - - # NATGWEIPAZ1: - # Type: AWS::EC2::EIP - # DependsOn: SecurityIGWAttachment - # Properties: - # Domain: vpc - # Tags: - # - Key: Name - # Value: !Sub "${SecurityNamePrefix} NAT GW" - - # NATGWAZ1: - # Type: AWS::EC2::NatGateway - # Properties: - # SubnetId: !Ref NATGWSubnetAZ1 - # AllocationId: !GetAtt NATGWEIPAZ1.AllocationId - # Tags: - # - Key: Name - # Value: !Sub "${SecurityNamePrefix} NAT GW" - -# ---------------------------------------------------------------------------------------------------------------------- -# Route Table - SecurityVPC - Data -# ---------------------------------------------------------------------------------------------------------------------- - - VMSeriesDataRouteTableAZ1: - Type: AWS::EC2::RouteTable - Properties: - VpcId: !Ref SecurityVPC - Tags: - - Key : Name - Value: !Sub "${SecurityNamePrefix} Firewall Data" - - VMSeriesDataRouteTableAssociationAZ1: - Type: AWS::EC2::SubnetRouteTableAssociation - Properties: - RouteTableId: !Ref VMSeriesDataRouteTableAZ1 - SubnetId: !Ref VMSeriesDataSubnetAZ1 - -# ---------------------------------------------------------------------------------------------------------------------- -# Gateway Load Balancer -# ---------------------------------------------------------------------------------------------------------------------- - - GWLB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - Properties: - Name: VMSeries-Gateway-Load-Balancer - Type: gateway - Subnets: [!Ref VMSeriesDataSubnetAZ1] - LoadBalancerAttributes: - - Key: load_balancing.cross_zone.enabled - Value: true - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} Gateway Load Balancer" - - # ---------------------------------------------------------------------------------------------------------------------- - # Gateway Load Balancer - VPC Endpoint Service - # ---------------------------------------------------------------------------------------------------------------------- - - GWLBEService: - Type: AWS::EC2::VPCEndpointService - Properties: - GatewayLoadBalancerArns: - - !Ref GWLB - AcceptanceRequired: false - - DescribeGWLBEServiceLambdaExecutionRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Action: - - sts:AssumeRole - Path: / - Policies: - - PolicyName: root - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - logs:CreateLogGroup - - logs:CreateLogStream - - logs:PutLogEvents - Resource: arn:aws:logs:*:*:* - - Effect: Allow - Action: - - ec2:DescribeVpcEndpointServiceConfigurations - - ec2:DescribeVpcEndpointServicePermissions - - ec2:DescribeVpcEndpointServices - Resource: "*" - - DescribeGWLBEService: - Type: AWS::Lambda::Function - Properties: - Handler: "index.handler" - Role: !GetAtt - - DescribeGWLBEServiceLambdaExecutionRole - - Arn - Code: - ZipFile: | - import boto3 - import cfnresponse - import json - import logging - import time - def handler(event, context): - logger = logging.getLogger() - logger.setLevel(logging.INFO) - responseData = {} - responseStatus = cfnresponse.FAILED - logger.info('Received event: {}'.format(json.dumps(event))) - - if event["RequestType"] == "Delete": - responseStatus = cfnresponse.SUCCESS - cfnresponse.send(event, context, responseStatus, responseData) - - if event["RequestType"] == "Create": - try: - VpceServiceId = event["ResourceProperties"]["Input"] - except Exception as e: - logger.info('VPC Endpoint Service Id retrieval failure: {}'.format(e)) - return - - try: - ec2 = boto3.client('ec2') - except Exception as e: - logger.info('boto3.client failure: {}'.format(e)) - return - - start_time = time.time() - elapsed_time = 0 - - while elapsed_time < 890: # Check every minute for up to 10 minutes, default 570 - try: - response = ec2.describe_vpc_endpoint_service_configurations( - Filters=[ - { - 'Name': 'service-id', - 'Values': [VpceServiceId] - } - ] - ) - except Exception as e: - logger.info('ec2.describe_vpc_endpoint_service_configurations failure: {}'.format(e)) - time.sleep(10) # Sleep for one minute before retrying - elapsed_time = time.time() - start_time - continue - - ServiceName = response['ServiceConfigurations'][0]['ServiceName'] - logger.info('service name: {}'.format(ServiceName)) - responseData['Data'] = ServiceName - responseStatus = cfnresponse.SUCCESS - cfnresponse.send(event, context, responseStatus, responseData) - return - - # If we reach this point, it means 10 minutes have passed without success - logger.info('Timed out after 10 minutes') - responseStatus = cfnresponse.FAILED - responseData['Error'] = 'Timed out after 10 minutes' - cfnresponse.send(event, context, responseStatus, responseData) - Runtime: python3.12 - Timeout: 900 #default 900 line 526 =570 before - - GWLBESerivceName: - Type: Custom::DescribeVpcEndpointServiceConfigurations - Properties: - ServiceToken: !GetAtt DescribeGWLBEService.Arn - Input: !Ref GWLBEService - -# ---------------------------------------------------------------------------------------------------------------------- -# Security VPC - Gateway Load Balancer Endpoint -# ---------------------------------------------------------------------------------------------------------------------- - - GWLBEAZ1: - Type: AWS::EC2::VPCEndpoint - Properties: - VpcId: !Ref SecurityVPC - ServiceName: !GetAtt GWLBESerivceName.Data - VpcEndpointType: GatewayLoadBalancer - SubnetIds: [ !Ref GWLBESubnetAZ1 ] - -# ---------------------------------------------------------------------------------------------------------------------- -# Security VPC - Management & Data Security Group -# ---------------------------------------------------------------------------------------------------------------------- - - VMSeriesManagementSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref SecurityVPC - GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Management" - GroupDescription: VM-Series Management Security Group - SecurityGroupIngress: - - CidrIp: !Ref RemoteManagementCIDR - FromPort: 22 - ToPort: 22 - IpProtocol: tcp - - CidrIp: !Ref RemoteManagementCIDR - FromPort: 443 - ToPort: 443 - IpProtocol: tcp - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Management" - - VMSeriesDataSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref SecurityVPC - GroupName: !Sub "${SecurityNamePrefix}-VM-Series-Data" - GroupDescription: VM-Series GWLB Management Security Group - SecurityGroupIngress: - - IpProtocol: udp - FromPort: 6081 - ToPort: 6081 - CidrIp: !Ref SecurityVPCVMSeriesDataSubnetCIDRAZ1 - SecurityGroupEgress: - - IpProtocol: '-1' # All protocols - CidrIp: 0.0.0.0/0 # All IPs - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Data" - - VMSeriesPublicSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - VpcId: !Ref SecurityVPC - GroupName: !Sub "${SecurityNamePrefix} VM-Series Public" - GroupDescription: VM-Series GWLB Data Security Group - SecurityGroupIngress: [] - SecurityGroupEgress: - - IpProtocol: '-1' # All protocols - CidrIp: '0.0.0.0/0' # All IPs - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Public" - - -# ====================================================================================================================== -# Outputs -# ====================================================================================================================== - -Outputs: - - GWLBServiceId: - Description: GWLB Service ID for use for additional GWLB Endpoints - Value: !GetAtt GWLBESerivceName.Data - Export: - Name: GWLBServiceId - - KeyName: - Description: The SSH KeyPair Name - Value: !Ref KeyName - - TgwId: - Description: The ID of the Transit Gateway - Value: !Ref TransitGateway - Export: - Name: TgwId - - TgwSpokeRouteTableId: - Description: The ID of the Spoke Transit Gateway Route Table - Value: !Ref TGWSpokeRouteTable - Export: - Name: TgwSpokeRouteTableId - - TgwSecurityRouteTableId: - Description: The ID of the Security Transit Gateway Route Table - Value: !Ref TGWSecurityRouteTable - Export: - Name: TgwSecurityRouteTableId - - SecurityVPC: - Description: The ID of the Security VPC - Value: !Ref SecurityVPC - Export: - Name: SecurityVPC - - GWLB: - Description: The ID of the GWLB - Value: !Ref GWLB - Export: - Name: GWLB - - VMSeriesManagementSecurityGroup: - Description: The ID of the VMSeriesManagementSecurityGroup - Value: !Ref VMSeriesManagementSecurityGroup - Export: - Name: VMSeriesManagementSecurityGroup - - NATGWSubnetAZ1: - Description: The ID of the NATGWSubnetAZ1 - Value: !Ref NATGWSubnetAZ1 - Export: - Name: NATGWSubnetAZ1 - - VMSeriesPublicSecurityGroup: - Description: The ID of the VMSeriesPublicSecurityGroup - Value: !Ref VMSeriesPublicSecurityGroup - Export: - Name: VMSeriesPublicSecurityGroup - - VMSeriesDataSecurityGroup: - Description: The ID of the VMSeriesDataSecurityGroup - Value: !Ref VMSeriesDataSecurityGroup - Export: - Name: VMSeriesDataSecurityGroup - - VMSeriesDataSubnetAZ1: - Description: The ID of the VMSeriesDataSubnetAZ1 - Value: !Ref VMSeriesDataSubnetAZ1 - Export: - Name: VMSeriesDataSubnetAZ1 diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml deleted file mode 100644 index 5ec28bf..0000000 --- a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-gwlb-cfn-vmseries.yaml +++ /dev/null @@ -1,451 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" - -Description: >- - VM-Series Deployment Stack into existing VPC / GWLB. - -# ====================================================================================================================== -# Parameters / Maapings -# ====================================================================================================================== - -# Updated to 11.0.2-h1 Custom AMIs -Mappings: - PANFWRegionMap: - eu-north-1: - AMI: ami-04527e8b09f7eb406 - eu-west-1: - AMI: ami-0a44de9db9dd95a6c - us-east-1: - AMI: ami-06899917ae226f293 - us-east-2: - AMI: ami-0fd909759c03f961d - us-west-1: - AMI: ami-09dd60214faaafc71 - us-west-2: - AMI: ami-04d4a07840a04301c - -Parameters: -# KeyPair Parameter - KeyName: - Type: String - Description: Name of the KeyPair used for EC2 instances - ConstraintDescription: 'Must be the name of an existing EC2 KeyPair.' - Default: lab-key-pair - -# Naming Prefix - SecurityNamePrefix: - Type: String - Description: Prefix to be used for naming / tagging resources - ConstraintDescription: 'String for naming.' - Default: Security - -# Management Network CIDR - RemoteManagementCIDR: - Description: >- - Remote Management CIDR to be allowed management access to VM-Series Firewall (e.g. 192.168.0.0/25) - Type: String - Default: 0.0.0.0/0 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\/(\d{1,2}) - ConstraintDescription: Must be a valid CIDR (e.g. 0.0.0.0/0) - - SourceS3BucketName: - Description: >- - Source bucket with bootstrap content intended to be used for Jam Session / AWS Events platform. Objects here will be be copied to new bucket in appropriate bootstrap structure - Type: String - AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$|^$ - ConstraintDescription: Must be a valid S3 Bucket name or left blank for no Bootstrap. - Default: __source_s3_bucket_name__ - - SourceS3BucketPath: - Type: String - Description: Name of the path in the S3 bucket where the bootstrap content is located. Should match the Jam Session ID - ConstraintDescription: 'Must match the Jam Session ID.' - Default: panw-vmseries-gwlb - -# ====================================================================================================================== -# Metadata -# ====================================================================================================================== - -Metadata: - AWS::CloudFormation::Interface: - ParameterGroups: - - - Label: - default: "VM-Series Deployment" - Parameters: - - VMSeriesAMI - - VMSeriesInstanceType - - SecurityNamePrefix - - KeyName - - SourceS3BucketName - - SourceS3BucketPath - - RemoteManagementCIDR - - ParameterLabels: - VMSeriesAMI: - default: "AMI ID of VM-Series" - VMSeriesInstanceType: - default: "EC2 Instance Type for VM-Series" - RemoteManagementCIDR: - default: "IP CIDR for Allowed Remote Management of the VM-Series" - SecurityNamePrefix: - default: "Prefix to be used in naming resrouces in Security VPC" - -# ====================================================================================================================== -# Resources -# ====================================================================================================================== - -Resources: - -# ---------------------------------------------------------------------------------------------------------------------- -# Gateway Load Balancer Target Group -# ---------------------------------------------------------------------------------------------------------------------- - - GWLBTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Name: !Sub "${SecurityNamePrefix}-VM-Series" - Port: 6081 - Protocol: GENEVE - HealthCheckPort: 80 - HealthCheckProtocol: TCP - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: 20 - VpcId: !ImportValue SecurityVPC - - TargetType: instance - Targets: - - Id: !Ref VMSeriesInstanceAZ1 - Tags: - - Key: Name - Value: "GWLB VM-Series" - - GWLBListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref GWLBTargetGroup - LoadBalancerArn: !ImportValue GWLB - -# ---------------------------------------------------------------------------------------------------------------------- -# VM-Series Bootstrap Resrouces -# ---------------------------------------------------------------------------------------------------------------------- - - BootstrapRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: ec2.amazonaws.com - Action: 'sts:AssumeRole' - Path: / - Policies: - - PolicyName: BootstrapRolePolicy - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: 's3:ListBucket' - Resource: !Join - - '' - - - 'arn:aws:s3:::' - - !Ref SampleS3Bucket - - Effect: Allow - Action: 's3:GetObject' - Resource: !Join - - '' - - - 'arn:aws:s3:::' - - !Ref SampleS3Bucket - - /* - BootstrapInstanceProfile: - Type: 'AWS::IAM::InstanceProfile' - Properties: - Path: / - Roles: - - !Ref BootstrapRole - AWSLambdaExecutionRole: - Type: 'AWS::IAM::Role' - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - 'sts:AssumeRole' - Effect: Allow - Principal: - Service: - - lambda.amazonaws.com - Version: 2012-10-17 - Path: / - Policies: - - PolicyDocument: - Statement: - - Action: - - 'logs:CreateLogGroup' - - 'logs:CreateLogStream' - - 'logs:PutLogEvents' - Effect: Allow - Resource: 'arn:aws:logs:*:*:*' - Version: 2012-10-17 - PolicyName: !Sub '${AWS::Region}-AWSLambda-CW' - - PolicyDocument: - Statement: - - Action: - - 's3:PutObject' - - 's3:DeleteObject' - - 's3:List*' - Effect: Allow - Resource: - - !Sub 'arn:aws:s3:::${SampleS3Bucket}/*' - - !Sub 'arn:aws:s3:::${SampleS3Bucket}' - Version: 2012-10-17 - PolicyName: !Sub '${AWS::Region}-AWSLambda-S3' - - PolicyDocument: - Statement: - - Action: - - 's3:GetObject' - Effect: Allow - Resource: - - !Sub 'arn:aws:s3:::${SourceS3BucketName}/*' - Version: 2012-10-17 - PolicyName: !Sub '${AWS::Region}-AWSLambda-S3-Get' - RoleName: !Sub '${AWS::Region}-AWSLambdaExecutionRole' - SampleS3Bucket: - Type: 'AWS::S3::Bucket' - Properties: - BucketName: !Select - - '2' - - !Split - - / - - !Ref 'AWS::StackId' - - LambdaS3CustomResource: - Type: 'Custom::S3CustomResource' - DependsOn: AWSLambdaExecutionRole - Properties: - ServiceToken: !Ref AWSLambdaFunctionVersion - the_bucket: !Ref SampleS3Bucket - source_bucket: !Ref SourceS3BucketName - source_path: !Ref SourceS3BucketPath - FrontendGwlbeAz1: !ImportValue FrontendGwlbeAz1 - dirs_to_create: - - config - - content - - license - - software - - - AWSLambdaFunctionVersion: - Type: 'AWS::Lambda::Version' - Properties: - FunctionName: !Ref AWSLambdaFunction - - AWSLambdaFunction: - Type: 'AWS::Lambda::Function' - Properties: - Description: Create VM-Series bootstrap bucket from Jam source - FunctionName: !Sub '${AWS::Region}-lambda' - Handler: index.handler - Role: !GetAtt - - AWSLambdaExecutionRole - - Arn - Timeout: 360 - Runtime: python3.12 - Code: - ZipFile: | - import boto3 - import cfnresponse - import textwrap - - def handler(event, context): - # Init ... - the_event = event['RequestType'] - print("The event is: ", str(the_event)) - response_data = {} - s_3 = boto3.client('s3') - - # Retrieve parameters - the_bucket = event['ResourceProperties']['the_bucket'] - dirs_to_create = event['ResourceProperties']['dirs_to_create'] - source_bucket = event['ResourceProperties']['source_bucket'] - source_path = event['ResourceProperties']['source_path'] - frontend_gwlbe_az1 = event['ResourceProperties']['FrontendGwlbeAz1'] - - try: - if the_event in ('Create', 'Update'): - print("Requested folders: ", str(dirs_to_create)) - for dir_name in dirs_to_create: - print("Creating: ", str(dir_name)) - s_3.put_object(Bucket=the_bucket, - Key=(dir_name - + '/')) - s3_copy = boto3.resource('s3') - - # Create init-cfg.txt dynamically - init_cfg_content = textwrap.dedent(f"""\ - type=dhcp-client - hostname=BrewGuardian-NGFW - ip-address= - default-gateway= - netmask= - ipv6-default-gateway= - vm-auth-key= - panorama-server= - panorama-server-2= - tplname= - dgname= - dns-primary=8.8.8.8 - dns-secondary=8.8.4.4 - authcodes= - plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable,aws-gwlb-associate-vpce:{frontend_gwlbe_az1}@ethernet1/1.1 - op-command-modes=jumbo-frame,mgmt-interface-swap - op-cmd-dpdk-pkt-io=on - dhcp-send-hostname=yes - dhcp-send-client-id=yes - dhcp-accept-server-hostname=no - dhcp-accept-server-domain=yes - """) - s_3.put_object(Body=init_cfg_content, Bucket=the_bucket, Key='config/init-cfg.txt') - - copy_source = { - 'Bucket': source_bucket, - 'Key': source_path + '/bootstrap.xml' - } - s3_copy.meta.client.copy(copy_source, str(the_bucket), 'config/bootstrap.xml') - copy_source = { - 'Bucket': source_bucket, - 'Key': source_path + '/authcodes' - } - s3_copy.meta.client.copy(copy_source, str(the_bucket), 'license/authcodes') - elif the_event == 'Delete': - print("Deleting S3 content...") - b_operator = boto3.resource('s3') - b_operator.Bucket(str(the_bucket)).objects.all().delete() - # Everything OK... send the signal back - print("Operation successful!") - cfnresponse.send(event, - context, - cfnresponse.SUCCESS, - response_data) - except Exception as e: - print("Operation failed...") - print(str(e)) - response_data['Data'] = str(e) - cfnresponse.send(event, - context, - cfnresponse.FAILED, - response_data) - -# ---------------------------------------------------------------------------------------------------------------------- -# VM-Series Deployment -# ---------------------------------------------------------------------------------------------------------------------- - - VMSeriesManagementENIAZ1: - Type: AWS::EC2::NetworkInterface - Properties: - Description: VM-Series Management - GroupSet: [ !ImportValue VMSeriesManagementSecurityGroup ] - SubnetId: !ImportValue NATGWSubnetAZ1 - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Management" - - VMSeriesManagementEIPAZ1: - Type: AWS::EC2::EIP - Properties: - Domain: vpc - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Management" - - VMSeriesManagementEIPAssociationAZ1: - Type: AWS::EC2::EIPAssociation - Properties: - AllocationId: !GetAtt VMSeriesManagementEIPAZ1.AllocationId - NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 - - VMSeriesPublicENIAZ1: - Type: AWS::EC2::NetworkInterface - Properties: - Description: VM-Series Public - GroupSet: [ !ImportValue VMSeriesPublicSecurityGroup ] - SubnetId: !ImportValue NATGWSubnetAZ1 - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Public" - - VMSeriesPublicEIPAZ1: - Type: AWS::EC2::EIP - Properties: - Domain: vpc - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Public" - - VMSeriesPublicEIPAssociationAZ1: - Type: AWS::EC2::EIPAssociation - Properties: - AllocationId: !GetAtt VMSeriesPublicEIPAZ1.AllocationId - NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 - - VMSeriesDataENIAZ1: - Type: AWS::EC2::NetworkInterface - Properties: - Description: VM-Series GWLB Data - AZ1 - SourceDestCheck: false - GroupSet: [ !ImportValue VMSeriesDataSecurityGroup ] - SubnetId: !ImportValue VMSeriesDataSubnetAZ1 - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series Data" - VMSeriesInstanceAZ1: - Type: AWS::EC2::Instance - UpdateReplacePolicy: Delete - Properties: - DisableApiTermination: false - InstanceInitiatedShutdownBehavior: stop - EbsOptimized: true - ImageId: !FindInMap - - PANFWRegionMap - - !Ref 'AWS::Region' - - AMI - InstanceType: m5.large - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeType: gp2 - DeleteOnTermination: true - VolumeSize: 60 - Encrypted: true - KeyName: !Ref KeyName - Monitoring: false - Tags: - - Key: Name - Value: !Sub "${SecurityNamePrefix} VM-Series" - NetworkInterfaces: - - NetworkInterfaceId: !Ref VMSeriesManagementENIAZ1 - DeviceIndex: '1' - - NetworkInterfaceId: !Ref VMSeriesDataENIAZ1 - DeviceIndex: '0' - - NetworkInterfaceId: !Ref VMSeriesPublicENIAZ1 - DeviceIndex: '2' - IamInstanceProfile: !Ref BootstrapInstanceProfile - UserData: - Fn::Base64: - Fn::Join: - - ';' - - - "mgmt-interface-swap=enable" - - !Sub "vmseries-bootstrap-aws-s3bucket=${SampleS3Bucket}" - -# ====================================================================================================================== -# Outputs -# ====================================================================================================================== - -Outputs: - - KeyName: - Description: The SSH KeyPair Name - Value: !Ref KeyName diff --git a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json b/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json deleted file mode 100644 index dc94325..0000000 --- a/aws-vmseries-with-gwlbe-CFT/cloudformationtemplates/aws-panw-vmseries-gwlb-team-iam-policy.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "ec2:Describe*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "elasticloadbalancing:Describe*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cloudwatch:ListMetrics", - "cloudwatch:GetMetricStatistics", - "cloudwatch:Describe*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "autoscaling:Describe*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DeleteTransitGatewayRoute", - "ec2:DisableTransitGatewayRouteTablePropagation", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:EnableTransitGatewayRouteTablePropagation", - "ec2:ReplaceTransitGatewayRoute", - "ec2:ReplaceRoute" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:ExportTransitGatewayRoutes", - "ec2:GetTransitGatewayRouteTablePropagations", - "ec2:GetTransitGatewayAttachmentPropagations", - "ec2:GetTransitGatewayPrefixListReferences", - "ec2:GetTransitGatewayPolicyTableAssociations", - "ec2:GetSubnetCidrReservations", - "ec2:GetTransitGatewayMulticastDomainAssociations", - "ec2:GetTransitGatewayRouteTableAssociations", - "ec2:GetTransitGatewayPolicyTableEntries", - "ec2:SearchTransitGatewayRoutes" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ssm:GetConnectionStatus", - "ssm:ResumeSession", - "ssm:TerminateSession", - "ssm:StartSession" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ssm:DescribeInstanceInformation", - "ssm:DescribeSessions" - ], - "Resource": "*" - } - ] -} diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes b/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes deleted file mode 100644 index 692cff4..0000000 --- a/aws-vmseries-with-gwlbe-CFT/s3assets/authcodes +++ /dev/null @@ -1 +0,0 @@ -D6476548 diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml b/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml deleted file mode 100644 index ad6fa33..0000000 --- a/aws-vmseries-with-gwlbe-CFT/s3assets/bootstrap.xml +++ /dev/null @@ -1,1371 +0,0 @@ - - - - - - $5$orocpecl$7QCjNeKl9wHPVQditT9R5K9Dm1mWFDHgxG96EJiIbe3 - - - yes - - - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== - - - - - - apiadmin - - - - $5$ufpyldiy$UseRElSc4.exQmd/Pf/vM7jckgnAdj6AgH9lrFAfff7 - - - - - - - - - - - - - yes - 5 - - - yes - 5 - - - yes - 5 - - - yes - 10 - - - yes - 5 - - - - yes - - - - 10 - 10 - - 100 - 50 - - - - 10 - 10 - - 100 - 50 - - - - - - 100 - yes - - - - - - - - - enable - - - - - - - - - c0542737 - c0542737 - Sep 19 22:02:47 2022 GMT - aws-jam-pan - Sep 19 22:02:47 2023 GMT - aws-jam-pan - 1695160967 - yes - aws-jam-pan - -----BEGIN CERTIFICATE----- -MIIC7zCCAdegAwIBAgIUJ80bMPtUHYNIJkYll2z6caWkgUUwDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAwwLYXdzLWphbS1wYW4wHhcNMjIwOTE5MjIwMjQ3WhcNMjMw -OTE5MjIwMjQ3WjAWMRQwEgYDVQQDDAthd3MtamFtLXBhbjCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAO3xOHCBI/Osyc5fCzugD32Y+cv/hAeFdPIp5XCY -DPO51oKhfrhBmATnVk6TauN9D9KL2NugMPZZTl9gg+A2XHCsbY/1SZWOl2rd9R8c -1HzFjMWOowA475AH0voDKCM6WoF+BaSs3Yo/V1S4yEYCNk//6DQMq2J27tl58e7X -bKSwF7U1XzDSlZeTdo37suWS3r+19+WbSZ51awZOWWz4Sc3ESrGrEuVPMAc59jon -/bwLwDAbvra9ALrEHKaA2noL5T0OdETtEOxOkECpacvciQZAsQlG4EhN67+ts6fz -Z/OhE1inZsrC9+h1PCTAI6fmEebp3uC2pIO0c9Ug+G1XnDsCAwEAAaM1MDMwDAYD -VR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwFgYDVR0RBA8wDYILcGFuLWphbS1wYW4w -DQYJKoZIhvcNAQELBQADggEBADfxmLLV22oK1bjIFEVrGt9nAdSE3a6EHOfrI4t2 -QxHoPZXzIxEHbO200ioLqKotoZ21/exPv2v+z/6lX8ynqMwSEItQutVjQ6HH4t3/ -Hf7yva+tYfhkrjQSDEAK7N/Ne54F5Oq8rIwXyx8DQ/l7fQWXb9XUVk88o5bpblv9 -NRcGJU6r70Q0MD//9CcOQPihS6shQcsf9NHr3fb6AvLLdFufODhqdo7gYPYefBrV -lkMohz1P26eNZp9mDxrWRJ0sZJeCvw5YMo12cN+hb2ncjdzsYuDlccWk1ItITTRK -RzZTg6F3RhZMOMfm0Co59Zl4otcQYEJXOL9BlJrx8mot+xQ= ------END CERTIFICATE----- - - RSA - -AQ==8FHErBAt+yHUIudjfdHT0/93eNA=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+s9JXWq/ZS2hGmEWv7PpHog0IiotOjtSqgQ8gyt6wGSTZ92wWzdead3UJuDLwxjTxaxLAW5HiKfBxT9DKMiE1LRv/k7JwRuT3bH97nsbo9mtTT7XmHI0YDN3xxWpHaGwUTc1h6HP7K7mov1n/cJzfBUMXN26UCAGoPwPGYc8nkmuo7jWov60hOnc0IoKufjNlDiX+p7q9YiuytYSvNT7r5wCZWVo8xuc4yX8/u93Lo5qbmAnKqmSP7Af8miYbEz0vucszy4z31nGX44ksyuxm97fJA+gkpV1aSbHFSVMKfmactdDZ93uR7zLvQ+94F/kHfTQj0Ddv+HeAXi24VXk6R9AdsmqY3pfpvrk9mQsaF7+rxbGT/5fjusb5HapWdTHDjofq72f2ldGPzHAFIZ182G/4imfwAm3o4D2heii/zlooVquQ1J1vyNd3pPfa4yzu6XBNnZhBsYj+u7uH1oZ5tXsZfG62ylOCTRJBvVFPqJImGezfQqIC6rwGcMX4Rz+3ni/YDoYRPiJEPZKsl3KMRCDOjht3ZQZm7d0vLHP8RrOyl6YfNx1Q+Y6jE8n+b81vMA5fAawg6zBi7+E6vbQ/0uHP869hh2RWlcxYp4ApeXWVco0b3JoqEn1BthwiRxEdFdvHLIRxdsCIsxI1GAjlr/AmpV5qPjR2X9cuuubeNTn5yfYWj/zVzJRziGXz1fuXodqveeVD/UVXuO4mLKX0fZBCgg7W5qRjSqT3io0VnK4RtGQk8iquCAD0xRowtxVgESxtJi5jc3zhOdcxOMRDo84u047RYGhcynyaU5HMXPDrcaawAloSmSv1nT3B1reJDxPoCZ3uww3vJCu0wpbuFW9aTnnD2ETBbnBet2ZWW0lbcWZEeHQVbOLWay+DrqXEX4DcKyMZEpcTjlYDhKsD3XGlHsIUxwTfliHjCge4w81OFYi3VxJccAlj+IefE8M0jWkTQC05NRtEjOHWaT7bpTPaDsdKiWaOjwFSLuFPUsmtsoTDjQLM48HpjSHXcNgWnSOzwxSClyn4FGMc3AQ+3u9wyk9keyRbecLhv1QIrCzyujVHV07zYmugosDrp4sKfI+eIdu8129VTSIuVAQOqXeU9epu/V5IZfHuRaxB1gW2RmC8cQR7F/l1nUZhD+pHWaiA2bpwe+JicRIT0i8tWPgIpj6zjXS0JNdsh0vyoko1lHZIvmiXLbRs+5ZbCtOQDje6QveJSZ9HEZuAsqpljNMfElt98zFAoUs5r/vb+HrJJKyK6Lpe9S3UZozkLj8ie7WnVCGHhsBVmVeEKbOu/+c8bT+XI9716JhzpGkibhNyQET41c5WgWFQW5GYcfl1M5vgieNvBZoP2RsfuFWVygXUG/WhWQP1dms41uksyAs2tCEoSnvo8X5if/QopzUIc6pjh+73h5h+A11nEN7Oq4WXK0Gy3TsNqU/J3P4n3ZqgwOIIRa4tcRwHbxlaG878Vpt+CRu26K4fBAophZ8x7jBuL2IqKvSPz6fM/kThuF7BXI2dVqsGDtUtXPF5EITl2+6xL8Qz/kLnpg/KqnfEuNsWiMB3xKFrx1ce+HBgOlMAxVY98BNAb2L4a+A6UZyZu/B7BaPsypkuHb/j/bsa3/VRmUQUxvloEH1mw8aSch9OWuBdD7Wp7O0X/d83kCr3w+QBQ5dZNPBklkSfXo2IeAYZdfP8rR/drXIycw6QFK6xwhpBKmr7MgLywuD8BNKcYVqDlOQWAayycl9MzON0c7qOiidEQHcLkr2tMF8aAvQ2hPuoUn1vU+4GlUVb2fSSUdurr3g/nOlhCuaQeGUq47F+myxZTCHuFcuX+x/6s0wCeqYGOQ8t5X9wdtHzIqQHRzBR4dZidAm0CUQuWZT82E1b1vXbUlNc2iOUP5r3Nrg4IDWELIyV0AQ6/JTn+U3Lxn2RcjtI/InAiLIkNY7hh5ZQtGMTHGuqVtT+BdugxFfvf7w/UvycoctcSjqtAgbeqHpw8nJdi6uXTGwEFk5TxHrqO+svmiA2zdiTySwaRbUr4je4L7Qz+xKCfcWdZwEKX7GadAhRXR3f6j0UE8XYTkCnBUOnrEJ/7phEizGvj7+QZLkXr1iw3MACA7JcLc5vYWvBOuoDHYwT6DwYL6kIPSHLvh/OqfTCQEnelrJ3vthkpG8KdmKCT+4sd24MOCuFCRKSXW39fThHotqD5EyWWl - - - 45e914f0 - 45e914f0 - Sep 19 22:14:43 2022 GMT - UNTRUST - Sep 19 22:14:43 2023 GMT - UNTRUST - 1695161683 - yes - UNTRUST - -----BEGIN CERTIFICATE----- -MIICzzCCAbegAwIBAgIUD2I/CdHONbnQiR8Lk9RC6ecwfeswDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHVU5UUlVTVDAeFw0yMjA5MTkyMjE0NDNaFw0yMzA5MTky -MjE0NDNaMBIxEDAOBgNVBAMMB1VOVFJVU1QwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDTrm1l2N2baQy0A2kH4N2pBhMQ5CE7+ZVdXioXSbUWiX4uAUyG -qCS3N3HW1PknTTR6fmJfGA9kyB5Owni44z+fP2aPhk/7HtvzgFH/WXFLJr82weqo -TLXp7PlmIJ+Q7z5vl/l1RUrfElfVbbjcVFyBFAYmnrmdvIvs+T+G0CSq1xuUz/9V -TSFvw6VPVQgdvaOnSKd9Ix2iTXtjEqIO8tSj9HhxBsfVlnjFQ0635MTx36MCMyb2 -Tar/XbkcIQ5Ap6J/9ZxUgYo4dkf7mQK/gla1vtujYMeKSUFTbj4XUPzykrx8u+iT -GySuZkzZ0MRVetz8ynfLN+10u4AfhFa0H6SHAgMBAAGjHTAbMAwGA1UdEwQFMAMB -Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQDOTEbWER+bTcr+3CFN -5kUP446dXkNZWMPt2+TEtSF43zN4DlSqtAK7nj3HrD5n5DQjxNePjtt9TNK3y+4B -PPGrkg5DN1aFtbdE79gWh/RHeX1UO2CMG4rsYZFyIk0u+sY9JetLJtI6OY11cy7J -56Ry6PEVopEPPQ+YTEayPKxnFHJ07gBAaBcnhCpizLGyC1NvAZAX+iye3O+S0lSv -4j5m0zfzHYguRC92Ljzt1KuwPE9JnddflMq+2q6zUU9BLvTAuu6awm4eJE3fbWek -j/2KjM33Yzd/ff0qsfEMHmNrQaUZlf21MUDs291Xmrr0NUbjHqEzDQGyKxBU4aCv -Iwyg ------END CERTIFICATE----- - - RSA - -AQ==TnkwOp9ykV8BjzuoTTgjlA4wiJY=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+tCTDFd/y67HfO+UDdkpWGNPJQPn8jxKN392ZvTnKl2/22S0q+fFI0BCLNIwkJ+aul8x5ebItDj8Wyiu3Qel7t9PWwkHYJ+5BrG0r/MTVe38C1GigdA9AnjQLB+wBnPEmUl9bu4h8EO79rfQUDdIR3DZjVapmSa1OuiRWAYScTyOZZJzQ4Plhjl176lZ4OOj6yXysArHznrtlFWABtH0aVnRx46K24Ci3Z4TuXmHDSJMoxGQgFKs0PJh6ONvVf9jOpb1TDMPQ3PyowXW2tKZD7KzcoKt2JT0Ebg36kEjl4Ab4PRGSTx9YJDE0fNmL2c6SkS+h/RYynMBAtfMlIKpTG74VCrBak5j6CCkb4JNAjlrooV9eJpLU9fB/kaMktrKEEVRLsvDcdAADCJ2Jfp06R4FdBsaLc+MJnH2kEwpRHlId7lxQTH+PFyH8ZJH46hv0MwA5K0rf4QmHdGvDZtEv/4OfY+kl6JipE0EO0vLSPz19tupx7Srs2oWEV5rc/Ma+TGULSpxsn6uLUO48JKF4fk3UMgvuu+N8u7TFxquzb61bXOK12aUUfaicO9H5+RzwMKHLEl/u3lK/2He5fOeO3UYEVc+BjzJL5zF0iDctJVEnqpzPVYSj1fzHJ/B6PJhGJKgepGuQaWWkg/DmhDD/FY6OPt3/jIGMvcgwuQ4i67T6a4kpa7nz8vW6s/+alS/Q9F/Sqefne0gVIRCMYEd2bdK5I5jnPAjS1oApWKJTZCs2R2OFQ2aCu0W5+fwQVBkWxmDFRBrqGKGtQF5yKV80HmfgR7Yz3gvqHxQqquDW6FLzvV6lJfnrtOcaGERgzRcKL1TdIdmoybIkPFU9ppBVhvyRsepIMXE5isDgn7DxO2CgQWHFnn4CKi2GkgVA9Job4G2+7pp/0O5AM43h3eTJSndTwmbjJ2lKRBleGw7QZzGjQ8f+0//pBCUtMOEkmHTfWKWZhm0nVMSq4jkpwGlw+xknZKMOalOvZEh68q4wJnDKUVbJwK1PmNeKHUk1MgXszbEbaps2pmZZGqL2OqD4ZPI5yMtgBd/LPAVY/2yjHJy7Oy45gZfOf2Lb592dh4lQg8yLlr9TiM3N44STAv9SB8YLXkeqlbIH5ovzp7PZBQuAXV3+JLU1b/VHhL/Ra+5AVHaVyLZ/nZo+KWnkiYTtEebkLfQtxmL7JirOGbuGk3hCvGyCcB4LkuiflzOZnXjRjdTjTZGzKonRZA14SkB+8A/Fh7Kg4+UC9ZSVcsNY/G1wI1NzkBXceellfM2hXKEJRwn2hYAVRuy9l0TDPfKRTv6XoQ2Qg09weCWrxo/6+1+dKiToYpZ5oGjGuQiVjPLqyNjWQbKwdfDBj3pcUNAQ6TUy4bmMkzG3u2/aVRnYLR7JxGQITRhtoo975raqpjQB5kRi2YPrvNE2wD3Cr75AMQ2Ed5t+fzNdT4/hnu+rSaDD2QTimzyhuNFAhKLWUfQ+ykH//0gWhWgcQwMRu8KpjjWRfUYQ2B/KgBKWoHpKIXDXCjMbnDrxOmMTmwO4MPfDoyXii2aCYJBCwqsLSJa7RI1raKvcBQB0HuL+MBuxlWH216tU/bPVRtT0Lfvu/Gxr+HF4+55Hx05Fu7wT1IiduhPXW3ZaMbmZmHsM8UNtNrfdhnZi1NoVFZ3juSocAdBlyxg25MBzSf+c0PHEGO0GOuRCbZxDqJIIgce8MVQ5M5WlGRfsDuHtqGk8BcY48DLLr/asoO9yS4H/8Eb+EPBtTqpm1kcrnG1cULtJrgNujqN1kI1yYJzLlU4+6NkizMB4wGZwadCgCGAJ0II5iALt+OlbYAN4dGQoAtJM6bnydhBBWU7hcXAoG1JaJki/9jwNh8o2PfWX8NeblZm9/VFzZjDhrXtDbAgRGnLVQFIpqEG2ZzR78b1ZBRVnnlCGIUQxMpzpY9wlICZ5UyWlCVRpvWvBkdX4fvApveihD5up7LD0kn5bspB9pZ0X6uCuPktvgw3exr0BVq9K5+ixzaKSV07/hKogvx19+DVoB8s+9zSQrYRfQK0DgRu3m1iGNlaBBpCnL5kIhHqkEJHqrntIC/aclKGQDvIZB+VF0M/QxyRVZ2OvzVb77O+9ima3PlAoKLS97Y+xjymqcRKsEmNiHqbAlsq5pTMiTaJ3bMqnivURr7fhGHaD8btkYwjqXeKtFoWjfW5JfFrh3FqRQdBeb/ - - - - - aws-jam-pan - - - UNTRUST - - - - - - - - - - - - - no - - - no - - - - no - - - no - - - no - - - - - - - no - - - - - no - - - no - - - no - - 1 - - - - - - - - - yes - - - no - - - - no - - - no - - - no - - - - - - - - - 3 - 5 - wait-recover - - - - - - - - - aes-128-cbc - 3des - - - sha1 - - - group2 - - - 8 - - - - - aes-128-cbc - - - sha256 - - - group19 - - - 8 - - - - - aes-256-cbc - - - sha384 - - - group20 - - - 8 - - - - - - - - aes-128-cbc - 3des - - - sha1 - - - group2 - - 1 - - - - - - aes-128-gcm - - - none - - - group19 - - 1 - - - - - - aes-256-gcm - - - none - - - group20 - - 1 - - - - - - - aes-128-cbc - - - sha1 - - - - - - - - - - - - - real-time - - - high - - - high - - - medium - - - medium - - - low - - - low - - - low - - - - - - - - - - - - no - - - 1.25 - 0.5 - 900 - 300 - 900 - yes - - - - - yes - - - - - no - - - no - - - no - - - - ethernet1/1 - ethernet1/1.1 - ethernet1/2 - - - - - - - - - - - - 10.0.0.49 - - - None - - - no - any - 2 - - ethernet1/1 - 10 - 10.0.0.0/8 - - - - - - - no - any - 2 - - - 10.0.0.1 - - - None - - ethernet1/2 - 10 - 0.0.0.0/0 - - - - - - - - - - - - - 10.0.0.99 - 255.255.255.0 - updates.paloaltonetworks.com - - - - - 0 - download-and-install - - - - - US/Pacific - - yes - yes - - 10.0.0.1 - BrewGuardian-NGFW - - - 8.8.8.8 - 8.8.4.4 - - - - - yes - yes - no - yes - - - yes - - - - yes - - - FQDN - - c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDRmJVRE1uZDZiMGFlQWltRGVacEFadkVCWGo1b2xtc2dJSDUzNFNKRnVvY3hNUk1ERXgvUUI2ZnBUN3dqdGhyME9LamJqY29td24wd2FGbjlNVHBUWFdzOCttWW05VytIS2lHSUY2ZXNNcDB5bTJpOEVWcXFxKzd3cXJpckFjb2FuRVhVN1BzWjdSaStIakZBYjYydG5uOEw4YnRXWFZtY3Uwd09zOUFvb3lJeDBEdUJLY0NkZnVSaWFkVDlRMllmc0t1Z3QvLzZ3ZW5SbE5SRXBIUWUxWDY0VXJQUnM5aHVqdml1TS9oSlFrTU1kSjRQd0Mzd0t1RUdYQjlZNWRQdU1VSWJ0OEN3a01lTnFEaVcxcW5zY3FHSXFrVWRic2U3RmI5cW5mNVNsd0xwZ0FqOHoxSlEvUXZxQ3FmWVJ4d1EraVpKM0sxYWVQZ253b0dkQ1E5Y04gbGFiLWtleS1wYWlyCg== - - - yes - yes - no - yes - - - BrewGuardian-NGFW - 8.8.8.8 - 8.8.4.4 - jumbo-frame,mgmt-interface-swap - - - - - - - - - - - - - ethernet1/2 - - - - - - - ethernet1/1 - - - - - - - ethernet1/1.1 - - - - - - - - - 22 - - - - - - - 221 - - - - - - - 222 - - - - - - - - - - - - any - - - internal - - - Beer Store Data VPC - - - any - - - any - - - any - - - ping - - - application-default - - no - yes - allow - - any - - - any - - - - - external - - - internal - - - Beer Store Data VPC - - - any - - - any - - - any - - - web-browsing - - - application-default - - no - yes - deny - - any - - - any - - - - - Alert - - - alert - - - alert - - - - - - - internal - - - internal - - - Beer Store Frontend VPC - - - Beer Store Data VPC - - - any - - - any - - - ssh - - - any - - no - yes - deny - - any - - - any - - This rule is blocking SSH traffic because they don't need to talk over SSH - - - - Alert - - - alert - - - - - - - external - - - frontend - internal - - - any - - - any - - - any - - - any - - - any - - - any - - yes - yes - allow - - any - - - any - - - - - alert - - - Alert - - - - - - - frontend - - - frontend - - - any - - - any - - - any - - - any - - - any - - - any - - - any - - - any - - allow - - - - alert - - - - - - - internal - - - internal - - - any - - - any - - - any - - - any - - - any - - - any - - no - yes - allow - - - - alert - - - - - any - - - any - - - - - any - - - any - - - any - - - any - - - any - - - any - - - ping - - - application-default - - no - yes - allow - - any - - - any - - - - - any - - - any - - - any - - - any - - - any - - - any - - - any - - - any - - yes - yes - deny - - any - - - any - - - - - - - - - - - ethernet1/2 - - - - - external - - - internal - - - any - - - any - - any - ipv4 - - - - - - - allow - no - yes - - - deny - no - yes - - - - - - - - - - - any - - - service-https - - - internal - - - external - - - Beer Store Frontend VPC - - - any - - - any - - - any - - - any - - decrypt - yes - default - yes - - - - - - - - - - - - - - - any - - - critical - - - any - - any - client - any - disable - - - - - - - any - - - high - - - any - - any - client - any - disable - - - - - - - any - - - medium - - - any - - any - client - any - disable - - - - - - - any - - - critical - - - any - - any - server - any - disable - - - - - - - any - - - high - - - any - - any - server - any - disable - - - - - - - any - - - medium - - - any - - any - server - any - disable - - - - - - - - - - WW's profile - - - - - - - - - any - - - any - - - any - - any - any - any - disable - - - - - - - - yes - - - - - medium - - abortion - abused-drugs - adult - gambling - phishing - - - command-and-control - grayware - hacking - malware - questionable - ransomware - weapons - - - - abused-drugs - adult - command-and-control - cryptocurrency - gambling - grayware - hacking - high-risk - malware - medium-risk - newly-registered-domain - phishing - questionable - ransomware - real-time-detection - weapons - - - - - high-risk - medium-risk - newly-registered-domain - cryptocurrency - real-time-detection - artificial-intelligence - - yes - - adult - questionable - abused-drugs - hacking - gambling - weapons - malware - phishing - command-and-control - grayware - ransomware - scanning-activity - - - - - - - - - - - - critical - - any - any - disable - - - - - - - high - - any - any - disable - - - - - - - medium - - any - any - disable - - - - - - - low - - any - any - disable - - - - - - - - - disable - - - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - default - default - disable - - - - - - alert - - - alert - - - alert - - - alert - - - alert - - - - - -
- - 10.1.0.0/16 - - - 10.2.0.0/16 - - - 10.2.1.100 - -
- - - - ethernet1/1 - ethernet1/2 - ethernet1/1.1 - - - - - - - - diff --git a/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt b/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt deleted file mode 100644 index 9b1bd46..0000000 --- a/aws-vmseries-with-gwlbe-CFT/s3assets/init-cfg.txt +++ /dev/null @@ -1,20 +0,0 @@ -type=dhcp-client -hostname=BrewGuardian-NGFW -ip-address= -default-gateway= -netmask= -ipv6-default-gateway= -vm-auth-key= -panorama-server= -panorama-server-2= -tplname= -dgname= -dns-primary=8.8.8.8 -dns-secondary= -authcodes= -op-command-modes=jumbo-frame,mgmt-interface-swap -op-cmd-dpdk-pkt-io=on -dhcp-send-hostname=yes -dhcp-send-client-id=yes -dhcp-accept-server-hostname=no -dhcp-accept-server-domain=yes diff --git a/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md b/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md deleted file mode 100644 index 5194e01..0000000 --- a/aws-vmseries-with-gwlbe-CFT/sample/samplereadme1.md +++ /dev/null @@ -1,81 +0,0 @@ -The "Hop & Code" owners are convinced that our competitor “Sneaky Suds” is exfiltrating our secret recipes. - -Your Application development team found some very strange behaviour on the Beer Database Server and asked you to have a deeper look into it to figure out what's going on. After some investigations, you realized that no outbound traffic gets analyzed by the Palo Alto Networks Firewall. That's something that we have to fix. - -You started the journey by conducting a comprehensive audit of the existing AWS infrastructure. With a discerning eye, you created a detailed diagram of the AWS environment. You mapped out the route tables of every VPC and the Transit Gateway. - -
-

Full Starting Diagram with Route Tables

-
- - -## Task - -**Redirect all outbound traffic from the Beer Store Data Database Server to the Palo Alto Networks Firewall** - -1. First, login to the Firewall. (**Helpful Info Section**) - -2. Check the Firewall Monitor traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. ((**Helpful Info Section**) - -3. Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the Transit Gateway.
-
- -## Task Validation - -- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. - - example curl command **sudo curl www.google.de** - - -- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which Application is now blocked from the Firewall. - -- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
- Some fields in the example log were removed. -

VPC Logs

-
- -- Input the Name of the blocked Application in the answer field to complete the task.
-
- -## Helpful Info -**To Login into the VM Series Firewall Web UI** -- Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" -- Open a browser window and navigate to https://("Security VM-Series-EIP") -- Login with the following credentials: - - Username: admin - - Password: Pal0Alt0@123 - -**How to see the Traffic Logs inside the Firewall** -- Login into the firewall -- Inside the firewall navigate to Monitor -> Traffic -- See the following picture as an example

Monitor Logs

-- In the Monitor Traffic window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows -

Monitor Logs

- - -**Login into the Beer Store Data Database Server** -- Use the Session Manager to log into the Server -- The name of the VM is "Beer Store Data Database" - -**How to find the server's private IP?** -- On the AWS Console go to EC2 -- On the EC2 Dashboard click on Instances -- The following EC2 instances are used by the lab: - - Beer Store Data Database - - Beer Store Frontend Webserver - - Security VM-Series (Palo Alto Networks Firewall)
-
- -## Inventory -- Palo Alto Networks NGFW VM-Series -- Amazon EC2 -- Amazon VPC -- AWS Systems Manager (SSM) -- AWS Lambda -- AWS AWS Tranist Gateway -- AWS Gateway Load Balancer
-
- -## Services You Should Use -- Palo Alto Networks NGFW VM-Series -- Amazon EC2 -- Amazon VPC (Route tables)
diff --git a/aws-vmseries-with-gwlbe-CFT/samplereadme.md b/aws-vmseries-with-gwlbe-CFT/samplereadme.md deleted file mode 100644 index 9ada70f..0000000 --- a/aws-vmseries-with-gwlbe-CFT/samplereadme.md +++ /dev/null @@ -1,324 +0,0 @@ -# aws-panw-vmseries-cft-deployment - -This GitHub repository contains CloudFormation templates designed to deploy a lab environment featuring Palo Alto's VM-Series firewall integrated with AWS Gateway Load Balancer. The primary goal of this lab is to provide hands-on experience in setting up and configuring network security measures to protect digital assets. The lab aims to simulate various network security scenarios and provides a structured environment for users to practice configuring and managing network security policies. - -The lab consists of multiple use cases, each addressing specific network security tasks and validations. In this lab we are deploying a single instance of VM-Series firewall and not using autoscale service. - -**Duration**: It will take approximately 2 hours to successfully complete this lab. - -**Note**: After completion of lab please make sure to run the **cleanup steps** mentioned towards the end of this guide to remove the resources, even if you are not able to complete it please execute the cleanup to remove all the resources. - -## Outline - -
-

Full Starting Diagram with Route Tables

-
- -- aws-panw-gwlb-cfn-root.yaml. This is the root stack that will be deployed. The other template files are nested from this one. - - -You can set up this environment in the following way: - -### Rapid S3 Setup - -**Note:** You will need access to AWS CloudShell for this mode of setup. - -1. Login to the AWS Console and change to the region of your choosing. Supported regions are: - - eu-north-1 - - eu-west-1 - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 -2. Open AWS CloudShell, wait for the CLI prompt to show up. -3. Clone the github repository. -``` -git clone https://github.com/AfrahAyub/panw-aws-jam-challenge-resources.git && cd panw-aws-jam-challenge-resources -``` -4. Run the setup command. -``` -./setup-cft.sh -``` - -Once the script completes execution, you should be able to see the output as shown below. -``` -Setup completed successfully. Please proceed to CFT deployment. -Please use the below Template URL for CFT deployment. -TEMPLATE_URL = https://panw-aws-resources-506b9ea8-ce65-4416-8f5d-288991b33a30.s3.us-east-1.amazonaws.com/panw-vmseries-gwlb/aws-panw-gwlb-cfn-root.yaml -``` -5. Please create a new EC2 key pair in the region where you are going to deploy the setup script and once you have uploaded the setup script please rename the EC2 key pair and provide the name of the key-pair that you have generated - - -## Please go through the following cases in order to run the Use Cases - - -## Use Case 1: Inspect outbound traffic using VM Series - -In this Use Case we will be redirecting outbound traffic from the **Beer Store Data Database Server** to the **Palo Alto Networks** firewall for inspection. This involves AWS routing adjustments and verifying traffic logs on the firewall. Read the following in order to run the Use Case 1: -## Task - -**Step 1**- In this step we will Update AWS routing to redirect the Beer Store Data Database Server outbound traffic for inspection by VM-Series through the "Transit Gateway". Please go through the follwoing steps: - - 1: In this step we will check the VPC Route Table to check if the Route Tables of the Beer Store Data VPC is pointing to - the correct resource - - 2: The Traffic will not be shown in the firewall at first, to see the traffic in the Firewall monitoring. Please do the - following: - - 1. Login into the AWS console - 2. Go to VPC - 3. Select in filter by VPC field the "Beer Store Data VPC" - 4. Next, go to route tables and select the "Beer Store Data Private route table" - 5. In the route table click on routes (see below) -
-

-
- 6. Click Edit routes and do the following changes: - - 1. Remove the route 10.0.0.0/8 -> Target TGW - 2. Change the route 0.0.0.0/0 -> TGW - 3. Click Save - -7. Once you made the changes your route should look like the example below -
-

-
- -**Step 2**- Now login to the firewall. Go through the following steps: - - - Identify the Elastic IP (Security VM-Series Management) of the EC2 Instance named "Security VM-Series" to find the server's private IP. - 1. On the AWS Console go to EC2 - 2. On the EC2 Dashboard click on Instances - 3. The following EC2 instances are used by the lab: - - Beer Store Data Database - - Beer Store Frontend Webserver - - Security VM-Series (Palo Alto Networks Firewall) - - - - Open a browser window and navigate to https://("Security VM-Series-EIP") - - Login with the following credentials: - - Username: admin - - Password: Pal0Alt0@123 -
- -**Step 3**- Now we will do the following steps in order to run the attack: -- Once you made the appropriate changes in the AWS routing you can log into the **Beer Store Data Database Server** via the SSM service and test with the **curl** command if the EC2 instance has internet access. - - example curl command **sudo curl www.google.de** - - To Login into the Beer Store Data Database Server: - - Use the Session Manager to log into the Server - - The name of the VM is "Beer Store Data Database" - -- If the curl command isn't working in the **Beer Store Data Database Server**, check the Palo Alto Networks Firewall Monitor Logs to see which application is now blocked from the Firewall. - -- You should see the following example log in the firewall monitoring. By adding the following filter **( zone.src eq internal ) and ( zone.dst eq external )** into the Monitor Logs filter bar.
- Some fields in the example log were removed. -

VPC Logs

-
- -**Step 4**- Check the "Firewall Monitor" traffic logs to verify if you can see any traffic from the Beer Store Data Database Server. To see the Traffic Logs inside the firewall: -- Login into the firewall -- Inside the firewall navigate to Monitor -> Traffic -- See the following picture as an example

Monitor Logs

-- In the :Monitor: Traffic" window change the refresh timer from **Manual** to **10 seconds** by clicking on the dropdown field on the top right as the picture below shows -

Monitor Logs

- -
-
- -This is the end of first Use Case. -
- -## Use Case 2: Inspect east-west traffic using VM-Series - -In this Use Case we will have VM-Series firewall inspect east-west traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver**. As a part of this task we will update the AWS routing and also check the firewall logs. Read the following in order to run the Use Case 2: -## Task - -1. As the first step let's check the traffic between the Beer Store Data Database Server and the Beer Store Frontend Webserver. You can add the following filter into the Firewall Monitor **( zone.src eq internal ) and ( zone.dst eq internal )** -2. There should not be logs seen on the firewall, so let's update the AWS routing. Please go through the following steps: - -**Step 1**: To make changes in the AWS routing we will do the following: - 1. Login into the AWS console - 2. Go to VPC Services and select under Transit Gateways the Transit gateway route tables -
-

-
- - 3. Select the Spoke TGW Route Table - 4. In the Route table click on Propagations -
-

-
- - 5. Select each propagations one by one and click delete propagations. Repeat it until both are deleted. - 6. Your TGW Route table should looks like the following after the deletion -
-

-
- -**Step 2**: To find the logs inside the "Firewall: Monitor": - 1. Log into the Palo Alto Networks VM-Series Firewall - 2. Go to Monitor -> Traffic -
-

- -
- -Note: The attack is being automatically generated. - - 3. In the Filter field paste the the following filter ( zone.src eq internal ) and ( zone.dst eq internal ) and ( app eq ssh ) -
-

-
- -**Step 3**: - 1. In the Monitor logs have a look at the column "TO PORT". -
-

-
- - 2. Once you made the appropriate changes in AWS check if can see now traffic between the **Beer Store Data Database Server** and the **Beer Store Frontend Webserver** by typing the following filter in the "Firewall: Monitor" **( zone.src eq internal ) and ( zone.dst eq internal )** - - 3. You should be able to see the following Monitor Logs inside the Firewall -

SSH Logs

-
- -This is the end of second Use Case. -
- -## Use Case 3: Inspect inbound traffic using VM-Series - -In this Use Case the VM-Series firewall will inspect inbound traffic towards the **Beer Frontend VPC**. As a part of this task we will be redirecting traffic, checking logs, identifying vulnerabilities, and updating firewall settings to block or reset malicious traffic. Read the following in order to run the Use Case 3: - -## Task - -1. You realized that you have no inbound inspection on the Beer Store by looking into the "Firewall: Monitor" logs and adding the following filter **(( zone.src eq frontend ) and ( zone.dst eq frontend )) or (( zone.src eq external ) and ( zone.dst eq internal ))**. - -2. You should now redirect the traffic from the Beer Frontend VPC to the Firewall. Please go through the following steps: - - 1. Login into the AWS console - 2. Go to VPC - 3. Select in Filter by VPC field the "Beer Store Frontend VPC" - 4. As next go to Route Tables and select the Beer Store Frontend Public route table - 5. In the route table click on Routes (see below) - -

- - vi. Click Edit routes and do the following changes: - - Change the route 0.0.0.0/0 -> Gateway Load Balancer Endpoint - - Click Save - - - vii. Once you made the changes your routle should looks like the example below -
-

-
- -3. Now after you redirect inbound traffic through the firewall, you should connect to the **Beer Store Frontend Webserver** (HTTP) over the Public IP. You should be able to see the following Webpage. This is the entrypoint to the Log4j Attack. The attack is being automatically generated, you do not need to authenticate to the beer store frontend before proceeding to the next step -

Beer Store

- In the "Firewall: Monitor" logs, you should see the following log by entering the filter ( addr.src in YOUR-PIP ). Replace "YOUR-PIP" with your local Public IP (Logs can take up to 1 min to be shown in the Monitor)
-

Logs

- In case you still don't see any traffic logs, check the Internet Edge route table or do the following: - 1. Login into the AWS console - 2. Go to VPC - 3. Select in Filter by VPC field the "Beer Store Frontend VPC" - 4. As next go to Route Tables and select the Beer Store Frontend IGW Edge route table - 5. In the route table click on Routes (see below) -
-

-
- 6. Click "Edit routes" and do the following change: - - Add the route 10.1.2.0/24 -> Gateway Load Balancer Endpoint - - Click Save -

- 7. Once you made the changes your routle should looks like the example below -
-

-
- -4. Next we will check the Firewall Monitor Threat logs, to see if any unexpected behaviour is happening. In the Threat Logs, you can see some **Log4j** Attacks. But for some reason, the Firewall isn't blocking them, just alerting. See the picture below as an example. -

alert

- -5. Now you have to change/update the Threat Profile on the Security Policy to block/reset the vulnerable traffic. To perform the change on the Security Policy follow the instructions below: - - 1. On the Firewall tab on the browser, navigate to the Policies tab, and select Secuirty on the left pane -

- - 2. Now you can see all the Security rules. Click on the Rule "Allow inbound" frontend rule, and a new window will open -

- - 3. On the new window click on "Actions" tab -

- - 4. On the "Profile Setting" section you can see that under "Vulnerability Protection",the "alert" profile is selected. That profile will only alert and not block or reset any communication. -

- - 5. Change the "Vulnerability Protection" from "alert" to "strict". -

- - 6. Click "OK", and the window will close automatically. - - 7. Next, we have to commit the changes you made to the firewall. Click on the **Commit** button in the top right corner. -

- - 8. A new window will open. Here you will have to click on "Commit" button -

- - 9. Wait for "Status Complete" and "Result Successful" and close the Window -

- -6. After changing the **Vulnerability Protection** Profile from **alert** to **strict** you should see the following logs under the **Threat section** of the logs: -

-
-
- -- After you make the appropriate changes in AWS routing and on the Palo Alto Networks Firewall it should have successfully blocked the attack to the **Beer Store Frontend Webserver** and you should be able to see a **reset-both** log entry in the Palo Alto Networks Monitor Logs -> Threat. -
-
- -This is the end of third Use Case. -
- -## Summary -We have completed this lab and we observed how VM Series firewall can be deployed in AWS environment to inspect inbound and east-west flow and inspect the traffic. - -## Cleanup Steps -Once you have completed the lab successfully, follow the following steps for the cleanup: - -Go to the AWS Floudformation service and delete the root stack which you had deployed initially using the URL, refer the following steps: - - 1. Go to the AWS CloudFormation service and select the stack(stack name) that was deployed -![Screenshot (181)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/d4ca515c-d765-4109-a51f-a41224c40c9a) - 2. Click on **Delete** -![Screenshot (182)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/951c7365-8f29-41bd-84cd-cbb3eb714da1) -**Note**: it will take approximately 10-15 minutes for the stack to get deleted. - 3. Once the stack is deleted go to the AWS Cloudshell, select Actions and select Delete AWS CloudShell home directory option -![Screenshot (183)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/de107f6b-2123-4b66-b443-9bc20bde2113) - - - - - -In case you get a message that says: "DELETE_FAILED" for the test-CombinedStack and test-SecurityStack, follow the following steps - -**Note**: the name of the stack deployed here is "test", please select the stackname that you have deployed to delete the nested stack - -1. Select the test-CombinedStack -![Screenshot (184)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/86faf4c6-7cd6-4268-84a0-157b51a95e10) -2. Click on **Delete** -![Screenshot (185)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/e04e4f4d-2704-44d2-96d1-9c0c6ee39e12) -3. Once the test-CombinedStack is deleted, Select test-SecurityStack -![Screenshot (187)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/52802da9-8563-46be-a303-229bb1a9e0aa) -4. Click on **Delete** -![Screenshot (188)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/7e6db6ce-7c37-4e11-a71d-469de3e404b0) -5. Finally select the test-stack -![Screenshot (189)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b3d171f7-a74f-434a-80df-1e9bca73ccad) -6. Click on **Delete** -![Screenshot (190)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/c8c51126-ba7c-47ee-88f7-67dac26c6980) -7. Now go to the VPC section and check if all the VPCs are deleted, if not then Select the VPC and click **Delete** -![Screenshot (192)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/b624ac57-655a-40df-bad4-50df0c6c980f) -![Screenshot (193)](https://github.com/AfrahAyub/aws-vmseries-with-gwlbe/assets/93593501/966d965d-78a7-41ab-86ef-347cecf798e4) - - - - - diff --git a/aws-vmseries-with-gwlbe-CFT/setup-cft.sh b/aws-vmseries-with-gwlbe-CFT/setup-cft.sh deleted file mode 100644 index 18b069c..0000000 --- a/aws-vmseries-with-gwlbe-CFT/setup-cft.sh +++ /dev/null @@ -1,27 +0,0 @@ - -S3_BUCKET_NAME="panw-aws-resources-$(uuidgen)" -S3_FOLDER_NAME="panw-vmseries-gwlb/" - -echo "Creating new S3 bucket ${S3_BUCKET_NAME} for sourcing the CFTs" -aws s3 mb s3://${S3_BUCKET_NAME} - -echo "Creating new folder ${S3_FOLDER_NAME} in the S3 bucket" -aws s3api put-object --bucket ${S3_BUCKET_NAME} --key ${S3_FOLDER_NAME} --content-length 0 - -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -cd $SCRIPT_DIR - -echo "Updating the CFTs with the new S3 bucket name." -sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-root.yaml -sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-security.yaml -sed -i "s/__source_s3_bucket_name__/${S3_BUCKET_NAME}/g" ./vmseries-gwlb-2023/cloud-formation-templates/aws-panw-gwlb-cfn-vmseries.yaml - -echo "Starting upload of CFT and bootstrap files to S3 bucket" -aws s3 cp ./vmseries-gwlb-2023/s3-assets/bootstrap.xml s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} -aws s3 cp ./vmseries-gwlb-2023/s3-assets/init-cfg.txt s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} -aws s3 cp ./vmseries-gwlb-2023/s3-assets/authcodes s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} -aws s3 cp ./vmseries-gwlb-2023/cloud-formation-templates s3://${S3_BUCKET_NAME}/${S3_FOLDER_NAME} --recursive - -echo "Setup completed successfully. Please proceed to CFT deployment." -echo "Please use the below Template URL for CFT deployment." -echo "TEMPLATE_URL = https://${S3_BUCKET_NAME}.s3.${AWS_REGION}.amazonaws.com/${S3_FOLDER_NAME}aws-panw-gwlb-cfn-root.yaml"