Building a Remote-Access Solution

Today, working remotely has never been easier, due to the ubiquity of mobile devices and reliable Internet connectivity. The ease with which a worker can get connected to the corporate network delivers the impression that your co-worker is down the hall, when in fact they are traveling internationally. Global Workplace Analytics’ research shows that increasingly, working remotely is not only commonplace, it is encouraged and has shown to improve productivity.

• Fortune 1000 companies around the globe are entirely revamping their space around the fact that employees are already

Studies repeatedly show they are not at their desk 50–60% of the time.

• 50% of the S. workforce holds jobs that are compatible with at least partial telework, and approximately 20–25% of the workforce teleworks at some frequency.
• Regular work-at-home, among the non-self-employed population, has grown by 103% since The employee population as a whole grew by 1.9% from 2013 to 2014, while the telecommuter population grew 5.6%.1

With the VM-Series and GlobalProtect™ now available on AWS®, you can protect your mobile workforce and your network from Internet-borne threats while dramatically reducing administrative effort and associated costs with an appliance-based, mobile-security and remote-access solution.

Introduction

When building a remote-access solution with GlobalProtect, a firewall appliance is deployed with a GlobalProtect subscription and depending on the volume and location of users, additional GlobalProtect instances are deployed. Mobile users connecting to the Gateway are protected by the corporate security policy and are granted secure access to network resources. Additional components of a hardware-based GlobalProtect deployment may include co-location facilities and associated services if a suitable company facility is unavailable. A hardware-based approach to a GlobalProtect infrastructure is a common deployment option; you can now use the globally available AWS infrastructure to eliminate some of the hardware-based dependencies and simplify your GlobalProtect deployment. An added benefit to deploying the VM-Series with GlobalProtect in AWS is that now you can leverage some of the scalability and automation features to build a solution that can dynamically scale to better support any planned or unplanned traffic spikes.

Enforce Consistent Security Policy with GlobalProtect

The world you need to secure continues to expand, as both users and applications shift to locations outside of the traditional network perimeter. Security teams face challenges when maintaining visibility into network traffic and enforcing security policies to stop threats. Traditional technologies that were used to protect mobile endpoints, such as host endpoint antivirus software and remote access VPN, are not capable of stopping the advanced techniques employed by today’s more sophisticated attacker.

GlobalProtect safeguards the mobile workforce by inspecting all traffic using the VM-Series Next-Generation Firewall and Threat Prevention services. Laptops, smartphones and tablets with the GlobalProtect app automatically establish a secure SSL/IPsec VPN connection to the VM-Series located in the AWS region, which will provide the best performance. By eliminating the blind spots in mobile workforce traffic, the organization maintains a consistent view into applications.

Image 1: GlobalProtect ensures policy consistency for all users and devices regardless of location

Deployed as an optional subscription for the VM-Series for AWS, GlobalProtect enables you to enforce security policy consistency to all users, regardless of location. Traffic flowing across a GlobalProtect connection is secured with the native VM-Series security capabilities, which allows you to understand application usage, determine

if the content within is malicious, take action accordingly, and then tie the traffic to the user identity. Policies extended to your mobile workforce can help you protect the network in the following ways.

• Reduce the threat footprint through application visibility and control – Identify and control the application and application functions you allow your workers to use, regardless of port number. Whitelisting policies can be applied to grant access to limited applications to restrict where the user can go on the network, and in so doing, also limit the locations that are susceptible to malware
• Prevent known and unknown threats; control content – Allowed application flows can be protected from known attacks (e.g., network-based attacks, malware, spyware) and unknown attacks hidden within a wide range of file Additional control mechanisms can limit file transfers based on file type and look for data patterns to stop its unauthorized movement, such as the transfer of credit card or Social Security numbers. Complementing the application control and threat prevention capabilities is a URL filtering solution that categorizes URLs based on their content at the domain, file and page levels, and is dynamically updated based on web-content changes.

Grant access based on user identity and business need – Granting secure network access to mobile or remote users can be more tightly controlled by including the user identity in the security policy. User profiles can be developed for local users. When they are remote, a different, more restrictive policy can be applied, while different groups, such as finance, can be granted access to confidential data.

In addition to the ability to grant access based on user identity, additional user authentication options can be applied to all users, including Kerberos, RADIUS, LDAP, client certificates and a local user database. Once

GlobalProtect authenticates the user, their IP address is immediately provided to the VM-Series for use in the security policy. A range of third-party, multifactor authentication methods are also supported by GlobalProtect, including one-time password tokens, certificates and smart cards through RADIUS integration. These options help organizations strengthen the proof of identity for access to internal data center or SaaS applications.

• Limit access based on endpoint profile – To ensure that a compromised or out-of-date endpoint is not granted access to the network, administrators can enable GlobalProtect to build a Host Information Profile (HIP) by querying the endpoint for a configuration inventory (e.g., OS and patch level, disk encryption, backup status, customized conditions, ) that is shared with the VM-Series. The HIP is used by the

VM-Series to enforce application policies that only permit access when the endpoint is properly configured and secured. These principles help enforce compliance with policies that govern the amount of access a given user should have with a particular device.

When deployed in conjunction with the VM-Series in AWS, GlobalProtect protects your mobile users and your network from Internet-borne threats of all types. An added benefit of using AWS as your infrastructure for your mobile workforce is a more consistent and reliable user experience as mobile users are connecting to the AWS region that delivers the best performance.

GlobalProtect Portal and Gateway

A GlobalProtect deployment is comprised of two components – a GlobalProtect Portal and a GlobalProtect Gateway. The Portal is used to manage mobile and device security policies which are pushed out to the Gateways, typically located in closer proximity of the end users. Multiple Gateways are often deployed in regions where there are a high concentration of users and devices. To dynamically scale GlobalProtect in AWS, an AWS Auto Scaling Group with GlobalProtect is first created. Then, using native AWS services and GlobalProtect automation features, additional Gateways are programmatically added or removed as fluctuating traffic patterns dictate. Learn more about the GlobalProtect Portal and Gateway relationship here.

Managing Known and Unknown Traffic Patterns

Most organizations will have a firm grasp on the number of mobile users who will be working remotely when building a remote access infrastructure and will take into account traditional daily spikes in usage that may occur, such as in the morning, just after lunch, and perhaps at the end of the day. These spikes are relatively predictable and are typically accommodated through planning and a robust infrastructure. Despite these best efforts, there are several known, but manageable challenges that accompany a hardware-based GlobalProtect infrastructure.

• Adding capacity to accommodate more users and new sites, territory expansion requires new hardware, which usually involves a purchasing process, injecting possible
• Software upgrades require planned, albeit temporary,
• Hardware-based capacity may be underutilized due to the requirement to build for “growth.”

The best laid capacity planning for your GlobalProtect architecture can be waylaid when an unplanned spike in usage occurs due to a severe weather event that forces many local users to work remotely or when a large event, such as the Super Bowl, forces local employees who normally work from the office to work from home. Another type of event that can impact remote network access usability is a large company event, such as an annual kickoff held in a different geographic location, where hundreds, perhaps thousands, of users all need remote network access. The impact from an unplanned (or semi-unplanned) spike in usage can be significant.

• The lack of connectivity ripples through the company as meetings are canceled or rendered ineffective due to missing
• Productivity for users who commonly work remotely is impacted by poor or unusable
• For all users, the lack of capacity results in user frustration as they repeatedly connect or reconnect in an attempt to rectify the

To address the challenges and ramifications of both planned and unplanned spikes in remote-access traffic, the VM-Series with GlobalProtect can be deployed on AWS, taking full advantage of the global infrastructure and Auto Scaling capabilities.

Auto Scaling the VM-Series with GlobalProtect on AWS

To address both planned and unplanned spikes in mobile access to network resources, the VM-Series with GlobalProtect can be deployed to take full advantage of AWS global infrastructure and Auto Scaling. A base set of GlobalProtect instances can be deployed to select regions, and when traffic demands dictate, new instances can be added and removed. 

Image 2: GlobalProtect deployed in AWS to support all users

To build a VM-Series with GlobalProtect Auto Scaling environment, an AWS Auto Scaling group with VM-Series and GlobalProtect is created that is then augmented with additional GlobalProtect Gateways based on user-defined traffic metrics from the VM-Series. Using the VM-Series XML API, traffic metrics are fed to CloudWatch, which in turn will initiate an AWS Lambda function stored in S3 that deploys an additional, fully configured GlobalProtect Gateway. The AWS services used include:

• AWS Lambda: A compute service that allows you to execute your code as a service using AWS AWS Lambda is used to configure the VM-Series firewall via the XML API and to interact with other AWS services, such as CloudWatch. Note that AWS Lambda is required for this solution but it may not available. A list of regions and respective AWS services can be found here. Learn more about AWS Lambda.
• Amazon Simple Storage Service (S3): A web service that allows you to store and retrieve any amount of data from anywhere on the S3 is used to store the VM-Series bootstrap configuration files and the AWS Lambda functions used to monitor traffic and initiate a new GlobalProtect Gateway. Read more about Amazon Simple Storage Service.
• AWS CloudFormation: A service that helps a user model and architect their AWS services and resources using templates (CloudFormation Templates, or AWS CloudFormation Templates) written in As part of the GlobalProtect Auto Scaling solution deployment, an AWS CloudFormation Template is used to set up the initial infrastructure, including a GlobalProtect Portal and a GlobalProtect Gateway. View additional details on AWS CloudFormation Templates.

AWS Auto Scaling: A web service designed to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules and health checks. The guidelines outlined in this document deploy one or more VM-Series with GlobalProtect in an Auto Scaling group and establish policies to initiate the deployment or

removal of a GlobalProtect Gateway based on metrics collected in real time. More details about AWS Auto Scaling.

• Amazon CloudWatch: Used to collect and track AWS resources and applications metrics in real Based on CloudWatch metrics, alarms can be generated that then send notifications or automatically make changes to the resources being monitored. CloudWatch is used to publish custom PAN-OS® security operating system metrics and establish alarms that can automatically initiate the dynamic deployment or removal of a GlobalProtect Gateway based on pre-determined thresholds. Additional CloudWatch materials.
• AWS SNS: A web service that publishes messages to various subscribers via text messages, email or to invoke AWS Lambda functions that execute SNS is used to trigger AWS Lambda functions that will configure the VM-Series firewall. Learn more about SNS.

In addition to the VM-Series and GlobalProtect features mentioned earlier, the PAN-OS features used to enable the Auto Scaling GlobalProtect on AWS solution include:

• Bootstrapping: A VM-Series firewall feature that allows you to create a repeatable and streamlined process of deploying new VM-Series firewalls. The bootstrap file is used to configure the new VM-Series and GlobalProtect being More on Bootstrapping.
• XML API: The PAN-OS XML API allows the management of the VM-Series through a programmatic XML-based The XML API functionality is heavily utilized by scripts running in AWS Lambda to configure the VM-Series with GlobalProtect and extract and publish custom metrics to Amazon CloudWatch.

Read about XML API.

VM-Series and GlobalProtect for AWS Licensing Considerations

The VM-Series can be licensed using a consumption-based model directly from AWS Marketplace, or as a traditional, bring-your-own-license (BYOL) model.

• Consumption-based licensing: This licensing model allows you to purchase the VM-Series

Next-Generation Firewall and select Subscriptions and Premium Support as a bundle directly through your AWS Management console on either an hourly or annual payment structure.

• Bundle 1 contents: VM-300 firewall license, Threat Prevention subscription (inclusive of IPS, AV, and malware prevention) and Premium
• Bundle 2 contents: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, and malware prevention), WildFire™ threat intelligence service, URL Filtering, GlobalProtect subscriptions and Premium

• BYOL: Any one of the VM-Series firewall models, along with associated subscriptions (Threat Prevention, WildFire, URL Filtering, GlobalProtect) and Support Services, are purchased via normal Palo Alto Networks channels and then deployed through your AWS Management console using an authorization

For purposes of this paper, the consumption-based Bundle 2 is used (and recommended) to accommodate the ability to add and remove VM-Series and GlobalProtect instances on demand.

Deployment Flow

To deploy the VM-Series with GlobalProtect Auto Scaling solution, the user needs to first establish the base AWS infrastructure, then deploy the GlobalProtect CloudFormation Template as defined below, then test the scaling capability.

 Establishing the Base Infrastructure

Building out the AWS infrastructure to support the solution is very straightforward and entails selecting an AWS region, downloading the package files and creating the requisite S3 buckets.

• Choosing a region: The GlobalProtect Auto Scaling CloudFormation Template can currently only be deployed in regions where AWS has launched its AWS Lambda See the list of regions.
• Download the solution package: The solution is delivered as an AWS CloudFormation Template (JSON formatted file) and a series of zip The package is available in Github.

Image 3: Github resources for the GlobalProtect Auto Scaling deployment

Creating S3 buckets: With the region chosen, create the following S3 buckets:

1. GlobalProtect Portal bootstrap bucket: This bucket contains the bootstrapping files required to deploy a fully configured VM-Series as a GlobalProtect Portal. Please refer to the deployment guide for details on creation and content of this
2. GlobalProtect Gateway Bootstrap bucket: This bucket will contain the bootstrapping files required to configure the VM-Series as a GlobalProtect Please refer to the deployment guide for details on creation and content of this bucket.
3. AWS Lambda bucket: This bucket will contain the AWS Lambda scripts that are utilized to configure the GlobalProtect Portal and GlobalProtect Gateways, and to publish custom

 Deploying the GlobalProtect Auto Scaling Solution

The initial GlobalProtect Auto Scaling solution is created by deploying the AWS CloudFormation Template (gp-asg.json) within the AWS console. The template will create all resources needed, along with an AWS Auto Scaling group for GlobalProtect Gateways. The GlobalProtect Auto Scaling Solution will have a minimum of one bootstrapped VM-Series with GlobalProtect

Figure 4: Initial VM-Series and GlobalProtect on AWS

The template will also initiate AWS Lambda functions that will periodically poll the GlobalProtect Gateway instances in the Auto Scaling group and gather metrics, publishing them to Amazon CloudWatch. Once the solution is deployed, the topology should be similar to the image shown.

Establishing Scaling Event Metrics

Once the initial GlobalProtect Auto Scaling solution is deployed, it will begin publishing active-session metrics to Amazon CloudWatch using the VM-Series XML API and AWS Lambda functions. The initial metric published and used to initiate a scaling event will be “maximum firewall sessions.” Other custom metrics that can also be used to drive scaling events include the number of active GlobalProtect users, data plane CPU utilization, and management plane CPU utilization. As discussed earlier, an Auto Scaling event can be:

• Planned events, such as conferences or sales kickoff events, where there is a sudden increase in the number of remote users connecting to a GlobalProtect Gateway in an AWS
• Unplanned events, such as snow days, where all users become remote users and connect to the GlobalProtect Gateways in an AWS region.

• Planned events can be recurring events, such as a daily increase in the number of users logging in to remote gateways at the start of the workday and slowly tapering off towards the end of the workday.

Image 5: As more users access GlobalProtect, added gateways are added to the ASG

As more mobile employees use GlobalProtect to access corporate resources, CloudWatch continuously monitors the VM-Series based on session count and acts accordingly, based on the thresholds set. When the configured threshold metrics are met or exceeded, a scale-out event initiates the deployment of an additional GlobalProtect Gateway. For instance, if CloudWatch is monitoring the total number of active sessions and the session limit threshold is exceeded:

1. Lambda functions collect and feed traffic metrics to
2. CloudWatch triggers an alarm, resulting in a scale-out
3. A new, fully configured VM-Series with GlobalProtect Gateway is added to the existing Auto Scale Group, using the bootstrap
4. The new GlobalProtect Gateway is added to the list of available gateways in the portal, and new user connections are automatically directed toward the new gateway.

As the number of sessions lessens to where it now meets the minimum threshold set, the scaling policy will execute a scale-in event, where GlobalProtect Gateways are removed from the Auto Scaling Group. When GlobalProtect Gateways are removed based on the scale-in policy, each executes randomly, resulting in the removal of a GlobalProtect Gateway with a sizable number of users attached to it.

There are several options to mitigate this:

1. Execute a manual scale-in policy as opposed to an automated scale-in. In this scenario, CloudWatch can be used to monitor GlobalProtect Gateways and notify administrators (via Amazon SNS) of those that have a low number of sessions and can be removed with minimal user
2. Have an automated scale-in policy that is very conservative; that is, wait for the number of active sessions to be very low (or zero).
3. Have a periodic policy where GlobalProtect Gateways scale-in during off-peak hours (such as in the middle of the night).

Regardless of the scale-in approach taken, the Auto Scaling Group will honor the minimum amount of GlobalProtect Gateways configured.

Additional Considerations: Connecting to Corporate via IPsec VPN or Direct Connect

GlobalProtect enables you to extend your corporate security policies to all users, regardless of location and device type. To that end, an added consideration will be the type of connection that is established from your corporate network to AWS. One option to consider is to use the IPsec VPN capabilities in the VM-Series, while a second option would be to use AWS Direct Connect. Direct Connect provides a mechanism for customers to establish a dedicated network from their own premise to AWS. This provides dedicated connectivity with the performance levels granted by the customer’s service provider. The dedicated connection terminates on customer-managed hardware located in an AWS Direct Connect location. From that point, one or more 802.1q VLANs are used to complete the connection into the customer VPCs.

Many AWS customers prefer that the entire connection be IPSec-encrypted all the way into the VPC – even when Direct Connect is used. This provides an extra layer of security for their network traffic. In this scenario, the deployment looks no different from the perspective of the VM-Series firewall than if the Internet had been used instead of Direct Connect. In either case, the solution is the same, including routing, redundancy, managed scale, etc. For maximum security and flexibility in a hybrid cloud architecture, IPsec tunnels terminating on the VM-Series firewall are recommended, including where Direct Connect is used. Find more information about Direct Connect.

Additional Considerations: Centralized Management

The VM-Series can be managed in a 1:1 manner via the web UI or a full command line interface (CLI). To manage multiple instances of the VM-Series, perhaps in combination with one or more Palo Alto Networks hardware firewalls, Panorama™ network security management provides centralized visibility into traffic patterns, logging and reporting, as well as a mechanism to manage all of your security policies across all devices. Additional information on Panorama.

Step-by-Step Deployment Guide

A detailed deployment guide that walks you through the process of setting up the base infrastructure, creating S3 buckets, deploying the template, and generating scale events is available here. The deployment guide can be used to deploy a scalable VM-Series with GlobalProtect environment. Alternatively, it can be used to deploy a single VM-Series with GlobalProtect instance for smaller-scale operations by setting the desired, minimum and maximum quantities toon. If scaling is needed, those parameters can be increased based on projected need.

CloudFormation Template Support Policy: The GlobalProtect Auto Scaling CloudFormation Template is released under an as-is, best effort, support policy. These templates should be seen as community supported, and Palo Alto Networks will contribute its expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or work posted in AWS S3, GitHub or sites other than our official Downloads page at https://support.paloaltonetworks.com/ are provided under the best effort policy.

Scaling GlobalProtect in AWS

Combining the VM-Series GlobalProtect with the global AWS infrastructure allows you to extend your corporate network security policies to all users, regardless of their location or device type. Integration with AWS Auto Scaling introduces the ability to allow GlobalProtect to dynamically adapt to fluctuating traffic patterns in a manner that is more efficient and more cost effective than an alternative hardware-based deployment.