topic Re: Global Protect Cloud with AWS in VM-Series in the Public Cloud

GlobalProtect Cloud Services with AWS

nbenos — Thu, 11 Jul 2019 02:45:37 GMT

Looking to egress AWS vpc traffic to GlobalProtect Cloud Services if that's even possible? Anyone have experience or tried doing this?

NOTE: GlobalProtect Cloud Service has changed to Prisma Access.

Re: Global Protect Cloud with AWS

hpunjabi — Sun, 05 Nov 2017 13:15:01 GMT

Hi @nbenos,

You should be able to form VPN between AWS VPC and Global Protect Cloud.

Are you trying VPN connection with AWS VPN Gateway or do you have a VPN capable device (Palo Alto EC2 instance for example) in your VPC ?

Re: Global Protect Cloud with AWS

nbenos — Mon, 06 Nov 2017 15:17:50 GMT

Hi hpunjabi,

Thanks for the response. I'm trying to vpn between the AWS vpn gateway and the Global protect cloud. Just not sure of the configuration for this and if it's even possible?

Thanks,

Nick

Re: Global Protect Cloud with AWS

hpunjabi — Sun, 12 Nov 2017 15:38:17 GMT

Hi Nick,

Yes you should be able to configure VPN between GPCS Cloud and AWS VPN.

1. Create a Customer Gateway (Amazon) pointing to GPCS Cloud Public IP.

2. In VPN Connection (Amazon) specify static routes for Mobile VPN/Remote VPN subnet as well as Infrastructure subnet in GP cloud.

3. In GPCS all configuration should be same like other VPN, specify Amazon VPC as remote subnet and in tunnel monitor specify 169.X.X.X ip address specified by Amazon (this can be viewed once you click Download configuration).

Also one thing to take note that the encryption and authentication would be visible under downloaded configuration from Amazon which you will have to replicate in GPCS.

Re: Global Protect Cloud with AWS

nbenos — Mon, 13 Nov 2017 20:16:16 GMT

Thanks so much for the info hpunjabi! So now I'm able to successfully build the tunnel in AWS and also GPCS.

AWS Tunnels both show up

GPCS shows status of ok for remote network

The only issue I have is when I create a test machine in the AWS VPC I can't seem to send out the internet traffic through the tunnel. I'm pretty sure it's a routing issue on the AWS side.

So far I have here's the routes I have for the VPC:

local AWS subnet route and target is local

0.0.0.0/0 which is going to the internet gateway. I figured this one had to be pointed to the virtual gw, but when I change it to that it just breaks my connection to the test device in the AWS VPC.

GPCS infrastruture subnet and the target it the vgw

both tunnel 169.x.x.x addressess and the target is the vgw

any ideas?

Thanks,

Nick

Re: Global Protect Cloud with AWS

hpunjabi — Tue, 14 Nov 2017 12:35:48 GMT

Hi Nick,

Have you setup Corporate VPN ? After the VPN is up now aren't you able to get access from Corporate LAN?

One thing I can suggest is to add route for your public IP address (System or Laptop) from which you are managing test machine towards Internet Gateway and then default route towards VPN Gateway in Amazon.

This way you will have the connectivity to the test machine and you can test for Internet connection through GP cloud.

Re: Global Protect Cloud with AWS

nbenos — Mon, 20 Nov 2017 14:35:51 GMT

Hi hpunjabi,

Thanks again for all the help. I did add a public route for the test IP and after troubleshooting a bit, I realized it was a route that needed to be placed on the vpn tunnel settings in AWS. I'm now able to filter traffic egressing the AWS VPC. Thanks again for all the time spent helping me out!

-Nick