Panorama系列--(2)AWS上搭建Panorama测试情况

Panorama系列--(2)AWS上搭建Panorama测试情况

  个人B站主页：https://space.bilibili.com/408773931
  微信公众号：自刘地

  
     

   

• 一、注意事项   
  
• 二、利用CloudFormation部署实验情况   
  
• 三、初始化Paloalto防火墙   
  
• 四、AWS上部署Panorama实例   
  
• 五、Panorama与Paloalto激活   
  
• 六、Panorama版本升级   
  
• 七、Panorama添加Paloalto防火墙   
  
• 八、文档链接  
  

   
  一、注意事项

  

  

•          AWS上Paloalto防火墙默认版本是     10.2.2h2，Panorama默认版本是     10.2.0，必要将Panorama升级到与Paloalto雷同版本，或者更高的版本，否则Panorama无法检察日记。  
  
•          Paloalto防火墙     VM-50型号只支持ESXi、Hyper-V和KVM平台，不支持AWS和其他云平台。
  

  二、利用CloudFormation部署实验情况

  Panorama重要用来管理多台防火墙，在AWS云上，对流量做集中安全检测一般会有多台防火墙，以是这里利用CloudFormation搭建了流量集中检测的LAB情况，然后利用Panorama管理这两台防火墙。
  只启动两台防火墙和一台Panorama，也可以做大部分的测试，搭建流量集中检测情况是为了更加模拟真实情况。
  利用CloudFormation创建实验情况，CloudFormation代码中不会创建Panorama，必要自行手动创建，也不会对Paloalto防火墙做初始化。
     

    上传堆栈模板文件。

  设置堆栈名称，选择EC2密钥。

  答应创建IAM资源。

  CloudFormation模板内容。堆栈必要七分钟左右创建完成，堆栈创建完成后，别的防火墙必要四分钟左右启动。

1. Mappings:<br>  RegionMap:<br>    cn-northwest-1:<br>      PA1022h2NWCD: ami-0738eadeed7e6b0fa<br><br>Parameters:<br>  EC2InstanceAmiId:<br>    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id><br>    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'<br>  Environment:<br>    Type: String<br>    AllowedValues:<br>      - dev<br>      - prod<br>    Default: dev<br>  MyKeyPair:<br>    Description: Amazon EC2 Key Pair<br>    Type: AWS::EC2::KeyPair::KeyName<br>    Default: CloudFormation-Test-Key<br>  PaloaltoVersion:<br>    Description: Choice Paloalto Firewall Version Type<br>    Type: String<br>    Default: PA1022h2NWCD<br>    AllowedValues:<br>      - PA1022h2NWCD<br>  PaloaltoInstanceType:<br>    Description: Choice Paloalto Instance Type<br>    Type: String<br>    Default: m5.large<br>    AllowedValues:<br>      - m5.large<br>      - m5.4xlarge<br>Resources:<br>  BastionSsmRole:<br>    Type: AWS::IAM::Role<br>    Properties:<br>      AssumeRolePolicyDocument:<br>        Statement:<br>          - Effect: Allow<br>            Principal:<br>              Service:<br>                - ec2.amazonaws.com<br>            Action:<br>              - 'sts:AssumeRole'<br>      Path: /<br><br>  BastionSsmPolicy:<br>    Type: AWS::IAM::Policy<br>    Properties:<br>      PolicyName: PrivatelianceInstanceAccess<br>      PolicyDocument:<br>        Statement:<br>          - Effect: Allow<br>            Action:<br>              - ssm:DescribeAssociation<br>              - ssm:GetDeployablePatchSnapshotForInstance<br>              - ssm:GetDocument<br>              - ssm:DescribeDocument<br>              - ssm:GetManifest<br>              - ssm:GetParameter<br>              - ssm:GetParameters<br>              - ssm:ListAssociations<br>              - ssm:ListInstanceAssociations<br>              - ssm:PutInventory<br>              - ssm:PutComplianceItems<br>              - ssm:PutConfigurePackageResult<br>              - ssm:UpdateAssociationStatus<br>              - ssm:UpdateInstanceAssociationStatus<br>              - ssm:UpdateInstanceInformation<br>            Resource: "*"<br>          - Effect: Allow<br>            Action:<br>              - ssmmessages:CreateControlChannel<br>              - ssmmessages:CreateDataChannel<br>              - ssmmessages:OpenControlChannel<br>              - ssmmessages:OpenDataChannel<br>            Resource: "*"<br>          - Effect: Allow<br>            Action:<br>              - ec2messages:AcknowledgeMessage<br>              - ec2messages:DeleteMessage<br>              - ec2messages:FailMessage<br>              - ec2messages:GetEndpoint<br>              - ec2messages:GetMessages<br>              - ec2messages:SendReply<br>            Resource: "*"<br>      Roles:<br>        - !Ref BastionSsmRole<br><br>  BastionSsmProfile:<br>    Type: AWS::IAM::InstanceProfile<br>    Properties:<br>      Path: /<br>      Roles:<br>        - !Ref BastionSsmRole<br><br>#=============SecVpc============#<br># 创建SecVpc<br>  SecVpc:<br>    Type: AWS::EC2::VPC<br>    Properties:<br>      CidrBlock: 10.100.10.0/16<br>      EnableDnsSupport: 'true'<br>      EnableDnsHostnames: 'true'<br>      Tags:<br>       - Key: Name<br>         Value: !Sub ${AWS::StackName}-SecVpc<br><br># 创建IGW并且关联到VPC<br>  SecVpcIGW:<br>    Type: "AWS::EC2::InternetGateway"<br>    Properties:<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpcIGW<br><br>  SecVpcAttachIgw:<br>    Type: "AWS::EC2::VPCGatewayAttachment"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      InternetGatewayId: !Ref SecVpcIGW<br><br>#-----------------SecVpc创建6个子网------------------#<br><br># SecVpc AZ1内创建公有子网<br>  SecVpcAz1PublicSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.10.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Public-Subnet<br><br># SecVpc AZ2内创建公有子网<br>  SecVpcAz2PublicSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.20.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Public-Subnet<br><br># SecVpc AZ1内创建私有子网<br>  SecVpcAz1PrivateSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.30.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Private-Subnet<br><br># SecVpc AZ2内创建私有子网<br>  SecVpcAz2PrivateSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.40.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Private-Subnet<br><br># SecVpc AZ1内创建TGW子网<br>  SecVpcAz1TgwSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.50.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 0<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ1-TGW-Subnet<br><br># SecVpc AZ2内创建TGW子网<br>  SecVpcAz2TgwSubnet:<br>    Type: AWS::EC2::Subnet<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      CidrBlock: 10.100.60.0/24<br>      AvailabilityZone:<br>        Fn::Select:<br>          - 1<br>          - Fn::GetAZs: ""<br>      Tags:<br>      - Key: Name<br>        Value: !Sub ${AWS::StackName}-SecVpc-AZ2-TGW-Subnet<br><br>#-----------------SecVpc创建路由表------------------#<br><br># 公有子网路由表及关联<br>  SecVpcAz1PublicRouteTable:<br>    Type: "AWS::EC2::RouteTable"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpc-AZ1-Public-RouteTable<br><br>  SecVpcAz1PublicRouteTableAssociation:<br>    Type: "AWS::EC2::SubnetRouteTableAssociation"<br>    Properties:<br>      RouteTableId: !Ref SecVpcAz1PublicRouteTable<br>      SubnetId: !Ref SecVpcAz1PublicSubnet<br><br>  SecVpcAz2PublicRouteTable:<br>    Type: "AWS::EC2::RouteTable"<br>    Properties:<br>      VpcId: !Ref SecVpc<br>      Tags:<br>        - Key: Name<br>          Value: !Sub ${AWS::StackName}-SecVpc-AZ2-Public-RouteTable<br><br>  SecVpcAz2PublicRouteTableAssociation:<br>    Type: "AWS::EC2::SubnetRouteTableAssociation"<br>    Properties:<br>      RouteTableId: !Ref SecVpcAz2PublicRouteTable<br>      SubnetId: !Ref SecVpcAz2PublicSubnet<br><br># Private子网路由表及关联<br>  SecVpcAz1PrivateRouteTable:<br>  

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。