10-07-2015 09:51 AM
I'm new to AWS, but not new to Palo Alto. We are at the initial phases of building out our AWS environment. I'm getting familiar with AWS but not an expert by any means. I thought I'd start with a trial version of Palo Alto for AWS. At any rate, I've followed some Palo Alto documentation (Set Up the VM-Series Firewall in AWS) to get things rolling. I created a public subnet, an ENI, attached them to the Palo Alto instance and got this specific ENI working within the VM (the link eth1/2 shows up), but I can't ping it, HTTPs to it or anything (all security groups and filtering are wide open on the AWS side) and interface mgmt configured to allow this on the VM side. This is my first problem.
My second problem is, I tried creating another ENI for the "public/untrust" (eth1/1) facing interface on the PA and it raised a dozen questions How do I do this? Do I need a seperate AWS subnet for this interface? Should it be private or public subnet if I need a new one? Do I need to attach the ENI to an EIP then to the instance so the ENI has a public IP? Do I configure the public IP on the PA VM or the private IP? Are the configurations supposed to be static (and I match the AWS assigned IPs)? The documentation doesn't clarify any of this. Perhaps these are things they assume we should know.
If anybody has experience with this and willing to share (with some detail) how it was setup in your environment I'd appreciate it.