Palo Alto VM – Multiple IP Addresses for Public Servers
Posted On February 14, 2020
I struggled to figure out how to add multiple IP addresses on the outside of my Palo Alto VM-Series in AWS. I needed to place each server’s public IP address on the Palo Alto and a lot of the guides I read were assuming you’d just do port-forwarding like a home router. That doesn’t scale, so I found a Palo Alto guide (login required) walking through how to do it. Below are the layman’s version on setting it up along with my lessons learned.
Add Network Interface to Palo Alto Instance
To begin, you’ll need to add an additional IP address to the outside/untrust interface of your Palo Alto instance. This additional IP address will be that of your public server.
If you’re reading this and haven’t deployed your Palo Alto yet, make sure and set a custom IP for eth0 when you deploy it and skip this step on creating a new outside/untrust interface. But if you’re like me and already enabled DHCP on your outside/untrust interface, you’ll need to add a new interface with static IP address. To add the new outside/untrust interface with static IP address to the Palo Alto, go to EC2 > Network & Security > Network Interfaces > Create Network Interface. The screenshot below shows the new outside/untrust interface of the Palo Alto.
Under your Palo Alto instance, select Actions > Networking > Manage IP Addresses. You’ll want to select your outside/untrust interface and Assign new IP.
This second IP address, 172.18.0.100 in this example, will be the public IP address (or outside IP address) of the public server.
Go back to your Palo Alto EC2 instance and look under the description tab for your Network Interfaces. Select your untrust/outside interface and copy the Interface ID eni-xxxxxxxxxxxxx — you’ll need it in the next step.
Congratulations, your Palo Alto now has another IP address associated with it that we can use for our public server, but unfortunately no one can access it from the Internet. Let’s fix that in the next step…
Allocate Elastic IP Address
For your new public/outside IP address to be reachable from the Internet, you’ll need to allocate and associate an Elastic IP Address with it. Go to EC2 > Network & Security > Elastic IPs > Allocate Elastic IP address. Once it’s allocated, select the new Elastic IP and click Actions > Associate Elastic IP address. Choose Network Interface and paste in the eni-xxxxxxx that you had just copied. Specify the private IP address to match the additional IP you had assigned in the previous step.
Configure IP Address on Palo Alto
This next step is common regardless of the Palo Alto, VM-Series or hardware. You need to configure your new public server’s IP address on the Palo Alto. Login to your Palo Alto > Network > Interfaces > Ethernet and select your outside/untrust interface. This guide assumes you’ve already configured the interface, but if not then select Interface Type = Layer 3, Security Zone = Untrust and Virtual Router = default.
Under the Ethernet Interface, click the IPv4 tab and specify the type as Static and add the IP address of the outside interface (in our case, it’s 172.18.0.5). This step may already be done if you’ve already setup your Palo Alto with a static IP address on the outside/untrust interface. Click Add and add the object for your public server’s outside/public IP address (this is the private address that is pre-Elastic-IP-NAT performed by Amazon).
If you’re like me, you may have forgotten that your static IP address for the outside/untrust interface of your Palo Alto doesn’t have a default route. This means return traffic will be dropped because it doesn’t know where to go. Do yourself a favor and ensure your default Virtual Router has a default route of 0.0.0.0/0 out your outside/untrust interface to the default gateway of your outside/untrust subnet (in my case, this was 172.18.0.1).
Static NAT for Public Server
The next step to ensuring your public server receives traffic is to setup Destination NAT (like 1:1 Static NAT) and Source NAT (for outbound traffic).
In your Palo Alto, go to Policies > NAT and add the following two entries:
The final step is to setup your Security Policies so that you grant the desired access to your public server.
I hope this short how-to helps. It took me a while to find it since most guides I stumbled across didn’t deal with scalably adding public access to servers. To add more public servers, just repeat this process.