About securehops

@aleksandar.astardzhiev    Appreciate your help on this.  This makes a lot more sense now.   I'm clear on the east/west functionality.   I did go through the architecture guide but I suppose I missed some details.  I will revisit, as one item still doesn't make sense.  If I have a workload in VPC-A that has a public elastic IP assigned to it, I'm not seeing how I can inspect it with the firewalls in the security VPC before it goes outbound to internet.  I'm thinking outbound would only work if all instances are private and rely on NAT-GW in security VPC to go to internet    ... View more

@aleksandar.astardzhiev    Thank you again for response.  It's getting clearer.  If I'm understanding correctly,  if I have 5 VPCs  (workloads) + 1 Security VPC(FWs),  each of the 5 VPCs will have their own GWLBe,  and the security VPC will have two GWLBe (one for outbound and one for east/west). All 5 VPCs should map to the same sub-interface and I should probably call that firewall zone "east-west"   For firewall policy rule creation for things I need to limit/inspect,  I should do source zone east-west, source address x.x.x.x,  destination zone east-west, destination address x.x.x.x   Continuing with that logic, if I understand correct, then I should assume if an EC2 instance in VPC-A is going to the internet,  I should expect to see on the firewall logs source zone outbound, destination zone outbound?   I just want to mention that in my security VPC, I was not creating multiple GWLBe, for each zone.  In case that wasn't clear.       ... View more

Hi @aleksandar.astardzhiev    Thank you for the reply, I get what you're saying but I have some questions.  I understood that GWLB will send data back to the endpoint it came from and that the sub-interfaces are not used for routing. 100% agree there.  The routing is all handled through the AWS subnet route tables and TGW route tables.  However, you mentioned "In addition the sub interfaces are not even used for routing, they are only used for zone mapping"  This is exactly what I need it for.  I was only trying to use the sub-interfaces to help create firewall policy rules.   In this Palo Alto doc, shows exactly what I'm trying to do.  It does mention east/west.  So in this design, I'd like to create specific fw rules for traffic between APP VPC 1 and APP VPC 2.  I'm not trying to make routing decisions, I'm only trying to make policies based on this traffic.   How would I accomplish this?   https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer ... View more

Anyone having a similar issue? ... View more

Palo support gets worse by the day   Reach out to your account team and have them escalate ... View more

@TomYoung    The issue is related to Panorama.  Any Panorama version under 10.1, does not have the column for ADV licensing.      So yes, Panorama is showing accurate licensing for those firewalls with the old licensing, but until we upgrade to Panorama 10.1, we will not see accurate licensing for the firewalls with Adv   ... View more

@SubaMuthuram    It is actually 10.1.x,       ... View more

@BPry    This is what I figured, but we did buy a lot of PA-220's right before PA-400 was announced.  It's a little disappointing.   That being said, would you recommend keeping those on 9.1.x?  We typically like to keep all our models consistent, but I'd prefer to get the higher models on a later version ... View more

@FunkyD    I meant to come back and post the solution.  I haven't done it yet but the fix is to upgrade Panorama above 10.x.   In those higher versions, there is a new column for Adv URL, which 9.x doesn't have.   Pretty silly on Palo's part, but this is what they are saying   EDIT:  it is actually 10.1.x that resolves this ... View more

Hi @PavelK    Yes, I am running most recent content update.  I've tried the refresh already but no luck there.   I have a ticket open with support on this.  I'll post back their findings  ... View more

thanks @PavelK I confirmed the same with support today.   Thanks for the link ... View more