topic Re: AWS Totally Noob Question - Routing in VM-Series in the Public Cloud

AWS Totally Noob Question - Routing

LukeBullimore — Sun, 24 Feb 2019 12:32:48 GMT

Hi All,

I've just deployed my first VM series firewall in the AWS Public Cloud. I've made the security groups, attached ENIs to Network Interfaces, I can get to the GUI and I can see my traffic coming into my untrust interface just fine.

On that untrust interface, I'm hosting a GlobalProtect Portal but can't access it. The traffic shows no return bytes. If I look at the packet counters it's being dropped because of no route. My main question, what is the next hop of my default route supposed to be (in the PA VR) so the traffic can leave and go back to the VPC?

With Azure, this was a little easier for me to understand because you'd just give it the .1 address in the same subnet to point it back to the Azure Fabric.

Again, very sorry for the noob question!

Thanks,

Luke.

Re: AWS Totally Noob Question - Routing

glynn — Sun, 24 Feb 2019 13:46:50 GMT

Luke:

As with Azure, the first IP in the subnet (after the subnet address) is the VPC router in AWS. See

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html

In particular, the bottom of the section titled “VPC and Subnet Sizing for IPv4” where it lists the reserved addresses in the subnet.

If you have the interface set to DHCP, you can click on “Dynamic-DHCP Client” for the interface and see the gateway IP as well as a number of other items (DHCP options, DNS, etc).

Regards,

Patrick

Re: AWS Totally Noob Question - Routing

LukeBullimore — Sun, 24 Feb 2019 14:15:13 GMT

Hey @glynn

Absolute legend, that fixed it. Really don't know why I didn't think of grabbing the IP from the DHCP Client Info.