About jmeurer

That SNAT flow does not sound correct.   The NAT rule that Destination Nats the traffic to Endpoint, should also have source translation set to the internal interface.     Would you mind posting screen shots of the nat rule. ... View more

Did you add a source translation to the NAT rule with the firewall's interface address?  Otherwise the endpoint will try to respond directly to the original client IP.   If you spin up a bastion host in the VPC, can you access the end point?  It could an SG on the endpoint not allowing the traffic in.   ... View more

I used this guide. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html   When the private endpoint is created, it will have a zone redundant FQDN assigned to it.  You use that FDQN as our destination in the NAT rule. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/configure-nat/configure-destination-nat-using-dynamic-ip-addresses.html   You do also need a source nat on the same rule to ensure the proper return path from the api GW to the firewall.  That would typically be your trust side interface address. ... View more

The way I have solved this in the past is to configured the API Gateway with a private endpoint in the firewall VPC.  Configure the the firewall pool behind a Public ALB to serve as you front end with your desired app cert.  Use a source and destination NAT rule to forward that traffic through the firewalls to the API GW endpoint FQDN.   One nuance, if you intend to decrypt the traffic on the way through use a SSL Forward Proxy decryption profile rather than the more intuitive Inbound Decrypt profile.  The API gateway does not allow you to load a custom cert when using a private endpoint.  By flipping the profile, you can get around the SSL handshake errors.  The ALB will ignore the self signed cert warning. ... View more

he tunnel build process is documented here. https://www.paloaltonetworks.com/resources/reference-architectures/aws   In general, if it works intermittently, check your timers in your IKE and IPSec profiles.  Also, ensure that only the VPN ethernet interface has the "Automatically create default route pointing to DG provided by server".  If you have multiple interfaces, you may end up with 2 default routes in the VR that are competing with each other.  If you have EIPs on multiple interfaces, then you give each its own virtual router with a 0.0.0.0/0 route pointing outbound. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQRCA0 ... View more

If using the TGW, vpn to the TGW rather than to the firewalls and use the TGW routing mechanism to route through the firewalls before going to the spoke VPC.  If using a single VPC, vpn to a VGW attached to the VPC and use Ingress Routing to route through the firewalls.  If you VPN to the firewalls and they are not configured for HA, you either need to SNAT the traffic or use some additional scripting to update the VPC routing to avoid asymmetry.   I believe you could benefit from a white board session with one of our SEs.  Reach out to your local account team and they can assist with locking in a design that suites your environment. ... View more

We do not currently have native support for HA across zones.  Typically in a VPN scenario, you use BGP to handle the failover between the two firewalls running tunnels to both firewalls.  You can use a script such as this one to handle the VPC route table.  You would just need to change the path monitor to monitor something across the VPN tunnel.   https://github.com/wwce/AWSCrossZoneHA    I a more robust scenario, you would use a Transit Gateway and the on-prem aspect of the reference architecture to treat the firewall as an inspection zone in the routing path. ... View more

Your understanding is spot on.  That PIP should be moved to the FW or ExtLB and natted to ensure proper bi-directional flow. ... View more

The load balancer is your fault tolerance mechanism for the inbound traffic.  For inbound you have two options essentially for fault tolerance.  Use the load balancer to health check and distribute traffic to the firewalls or set up HA between two firewalls in the same AZ.  HA is active passive while LB is active/active giving you better overall utilization and spend.   For outbound, AWS does not currently offer route to load balancer so your only option is to configure HA with your 0/0 route pointing at the active firewall. ... View more

Which cloud? (Network) Security Groups or GCP firewall rules could certainly be in play.   Double check your route table on the firewall.  You should have 0/0 route pointing to the ETH1/1 subnet first IP address and a route for your vnet/vpc cidr sending the traffic back in through ETH1/2 interface.  If you have both interfaces set to DHCP and default settings, they both inherit a default route.  You need to disable it on the ETH1/2 interface.   Do you see the traffic in Session Browser? ... View more

You are on the right track, you don't actually need secondary IPs of the Untrust interface.  We typically use Port Address Translation.  The Load Balancer Backend would be the firewall's Untrust Interface IP on a custom port such as 4431.  The load balancer rule would then map the front end IP on the standard port to the backend pool on the non-standard port.  The firewall performs both source and destination nat.  The original packet is the non-standard port traffic arriving on ETH1/1, the translated packet sources from Interface Eth1/2 and the destination is the actual application on the proper port.  We document this path in the reference architecture. https://www.paloaltonetworks.com/resources/reference-architectures/azure   ... View more

You could potentially run the following command but it sounds like you have lost access entirely.  Interface Swap just moves the management to ETH1 of the instance which may have a different security group that is blocking access.  You may want to try adding a bastion host and access the firewall from within the VPC to circumvent any routing to a NatGW that is preventing inbound due to the different subnet. set system setting mgmt-interface-swap enable no ... View more

AWS does not allow of the addition of more specific routes in a VPC.  Due to this, you would typically look at a multi-VPC model to achieve east-west inspection between instances.  We have examples of these types of deployments in our AWS reference architecture.   https://www.paloaltonetworks.com/resources/reference-architectures/aws ... View more

The VR limit per license type can be viewed here. https://www.paloaltonetworks.com/products/product-selection.html#   The limit on a VM-300 is 10 VRs.  With that said, you generally shouldn't need more than two.  You should route all internal traffic through the same interface with the HA Port LB.  If you try to Zone Policy that traffic, you will need SNAT.  Azure maintains persistence on a 1-arm routing mode only.  We touch on this in the East-West component of the reference architecture. https://www.paloaltonetworks.com/resources/reference-architectures/azure   ... View more