About jmeurer

jmeurer · ‎08-25-2019

I would encourage you to review our reference architecture. It covers east-west flows that is the cloud reclassification of a DMZ. As designs scale, we move Azure toward transit VNET designs. https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide In addition, your SE can engage with you in a design session around cloud architectures as they typically differ from traditional DC designs due to the lack of L2 in the cloud.

jmeurer · ‎08-23-2019

You do not need to reboot to assign a static in the Firewall GUI, you leave the assignment as is on the EC2 side. You just need to assign that IP in the firewall GUI as a static. I cannot guarantee that it will not be traffic impacting though as it works through the DHCP release during the commit. As for your second question, that comes down to how your VPC routing is configured. Traffic leaves the Firewall Mgmt interface on its private IP, if VPC routing sends the traffic to an IGW or NatGW, the fabric will then SNAT to the assigned EIP. If you have a route pointing to on prem via a DX or VGW, then the traffic should remain private.

jmeurer · ‎08-22-2019

You need to assign a static IP address to the Interface before it can be used as a service route. Just ensure you use the same IP as what is assigned by the cloud provider.

jmeurer · ‎08-18-2019

We have examples of firewalls in an ASG here. Please review and post back with any questions. https://github.com/PaloAltoNetworks/aws-elb-autoscaling

jmeurer · ‎06-20-2019

AWS ETH0 = PA Management AWS ETH1 = PA ETH1/1 AWS ETH2 = PA ETH1/2 AWS ETH3 = PA ETH1/3 This assumes you did not perform an interface swap during deployment. If so Management and ETH1/1 would be reversed so that ETH1/1 is the target of an ELB.

jmeurer · ‎05-07-2019

In a transit VPC model, cross account is not a factor. The VGW in the spoke and EIP of the firewall communicate over the open internet eliminating any cross account issues. If you are using the automated CFT, the steps to add the accounts are documented in the template instruction. In a Transit Gateway scenario, VPC insertion models natively support cross account attachments. This article speaks to TGW sharing. https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html

jmeurer · ‎04-29-2019

You have hit all of the usual culprits. Time to get a TAC case open.

jmeurer · ‎04-29-2019

I assume the firewall has corresponding routes for both subnets pointing to the first IP of the internal subnet the firewall is attached two. Also, check to ensure the interface has IP Forwarding enabled on the azure side. If you do need to change this setting. Reboot the firewall. I have seen it not apply until after reboot. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface#enable-or-disable-ip-forwarding From there, double check your NSGs. Since this intrazone traffic, it should be allowed, but you may not be logging it due to the inherent rule. Override logging on intrazone, it may give you some further information in the Monitor.

jmeurer · ‎04-29-2019

Do you have a corresponding route in subnet 2 pointing to the firewall for subnet 1? If you do not, azure will assymetrically return the traffic directly to the server rather than return routing through the firewall due to the VNET route.

jmeurer · ‎03-15-2019

Rather than different interfaces, I would recommend using Port Translation or secondary IPs on one Untrust interface to glue the inbound traffic to the destination nat. As you encountered, multiple interfaces will result in complex routing that is accomplished through VR mapping internal and external interfaces together or putting all Untrust Interfaces in the same zome to over come the asymmetry with multiple 0/0 outbound routes for each interface.

jmeurer · ‎03-15-2019

Your model works for single firewall. My point was more so if you want to consider Fault Tolerance in the design when adding a second firewall. No need for the added complexity of the load balancers in a single firewall use case.

jmeurer · ‎03-14-2019

While it is possible, I would not recommend going this route. To make it work, you need to be diligent in ensuring your UDRs point to the correct firewall IP for the bidirectional traffic. One thing that jumps out at me is that your VR is utilizing E1/3 interface for the Trust 2 routes but you do not have E1/2 specified for the Trust 1 routes. Another common issue is that manually added Azure Interfaces typically do not have IP Forwarding Enabled in the IP config. Check this on your E1/3 and E1/2 interfaces. With that said, this model does not hold true when you introduce the Internal LB with HA Ports for Fault Tolerance and Scalability. In order to introduce this model, a single LB Front End IP and single Interface per Firewall needs to be used for all East/West/Hybrid routes to ensure symmetric routing and persistence due to Azure's hashing algorythm. This results in Security Policies that are subnet based and not zone based. You can use the Transit VNET template as an example. https://github.com/PaloAltoNetworks/Azure-Transit-VNet/tree/master/Azure-Transit-VNET-1.0

jmeurer · ‎01-10-2019

That is an indication that bootstrapping has failed as that usename and password is not added until the bootstrap.xml is read from the S3 buckte. Log in to ETH0 with your pem file and a username of admin. You can utilize the following commands to verify the bootstrap process. show system bootstrap status debug logview component vm_install_media You can also view the system screen shot during bootup to watch for bootstrap errors.

jmeurer · ‎01-09-2019

Yes, it does appear that Canonical has updated their AMI list. The template utilizes Ubuntu 16.04. You can update the Mappings section for the Xenial map and retest. I will work to get the repo updated.

jmeurer · ‎01-09-2019

Please post any other errors earlier on in the Events list. Are you running this template? https://github.com/PaloAltoNetworks/aws-alb-sandwich

Member Since	‎08-07-2017 11:11 AM
Date Last Visited	‎02-08-2021 01:29 PM
Posts	104
Total Likes Received	26

Online Status	Offline
Date Last Visited	‎02-08-2021 01:29 PM

About jmeurer

Re: AWS VM Series Gateway Load Balancers not working

Re: AWS VM Series Gateway Load Balancers not working

Re: East west traffic in transit gateway with vpn attachment with firewall...

Re: AWS VM Series Gateway Load Balancers not working

Re: AWS VM Series Gateway Load Balancers not working

Re: AWS VM Series Gateway Load Balancers not working

Re: AWS VM-100 (2 VCPU limit) on M4/M5.xlarge (4 VCPU onboard) - wasted VCP

Re: PA firewall traffic to AWS API gateway

Re: PA firewall traffic to AWS API gateway

Re: PA firewall traffic to AWS API gateway

Re: Trust interface on vm not coming up in AWS

Re: AWS NAT not coming back

Re: AWS VM-100 (2 VCPU limit) on M4/M5.xlarge (4 VCPU onboard) - wasted VCP

Re: Site to Site VPN between AWS transit GW and PA FW in AWS

Re: upgrade OS from 8.0 to 9.0 on AWS PA-VM

Re: AWS NAT not coming back

Re: AWS ALB/NLB Sandwich - Cloud formation deployment failure.

Re: AWS ALB/NLB Sandwich - Cloud formation deployment failure.

No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

Re: How can i Create more than 4 security zones on VM-100 on Azure?

Re: On PA VM unable to change service route configuration to select another interface for example e

Re: On PA VM unable to change service route configuration to select another interface for example e

Re: Auto Scale Group - VM Series

Re: Trust interface on vm not coming up in AWS

Re: VM-Series on AWS with VPC's from multiple accounts

Re: Azure No Arp

Re: Azure No Arp

Re: Azure No Arp

Re: Azure multiple public front ends on load balancer

Re: Palo Alto Azure - second trust interface routing issue

Re: Palo Alto Azure - second trust interface routing issue

Re: AWS ALB/NLB Sandwich - Cloud formation deployment failure.

Re: AWS ALB/NLB Sandwich - Cloud formation deployment failure.

Re: AWS ALB/NLB Sandwich - Cloud formation deployment failure.

Unlock your full community experience!

About jmeurer