This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About craig.beamish
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About craig.beamish
12-16-2021
8Posts
1Like
0Solutions
Dec 16, 2021Last Visited
User
Activity
User
Profile
Latest posts by craig.beamish
| Subject | Views | Posted |
|---|---|---|
| 2837 | 08-27-2021 01:32 AM | |
| 2925 | 08-16-2021 01:45 AM | |
| 7782 | 01-14-2021 01:45 PM | |
| 8173 | 12-17-2020 02:05 PM | |
| 8444 | 12-16-2020 08:18 PM | |
| 12757 | 12-10-2020 09:23 PM | |
| 2103 | 07-22-2020 08:08 PM | |
| 2254 | 07-16-2020 07:37 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 12-10-2020 09:23 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 4 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 08-15-2019 08:50 PM |
| Date Last Visited | 12-16-2021 01:47 AM |
| Posts | 8 |
| Total Likes Received | 1 |
08-27-2021
01:32 AM
So now overlay routing is out and "functional" i've done more testing, Its only feasible for single direction flow: in > out or out > in what ever interface has the VPC endpoints attached MUST be the interface for return traffic (i.e. VPCe Ethernet1/1.1, 'trust' network behind ethernet1/1) so reading the docs: traffic comes in network client > GWLB > VPC endpoint > GENEVE int ethernet1/1.1 > egress eth1/2 > nat/IGW > server return: server > in nat/igw > eth1/2 > ethernet1/1 > client the docs indicate that return traffic does not egress the geneve sub interface but rather the normal physical interface. You can't have traffic come in eth1/1.1 and egress eth1/1 it just doesnt seem to work oddly.
... View more
08-16-2021
01:45 AM
I thought i saw on 10.0.5 or 10.0.6 release notes that GWLB was working with overlay routing, is it still not fully functional?
... View more
01-14-2021
01:45 PM
For those playing at home, In further discussions with @jmeurer, AWS apply a 5 tuple hash on the traffic to ensure return path, so applying a NAT breaks the traffic flow and AWS drops the traffic. Overlay routing is not yet functional, hopefully it will be in 10.0.4 or 10.0.5 and I can test if I can get the NAT to work for me in that aspect. I am curious if the return traffic would exit via the same geneve tunnel given theres no routes through it in that situation, only time will tell.
... View more
12-17-2020
02:05 PM
neither of those suit the application Im doing. We have multiple inbound services that sit behind the firewall. the current layout is the trust/untrust sandwich but we would prefer to move away from the NLB design as they have a capacity limitation in regards to autoscale groups. the design plan is that we have 'anchor' network addresses for each inbound service, the traffic comes in via the IGW, steered through the geneve tunnel to the palo, at which point we apply a destination NAT to the actual application load balancer of that service (which is in a different vpc), the traffic is still supposed to egress the geneve tunnel just with a different destination address, but the palo seems to drop it (even though the palo pcap believes it is forwarded on (seen in transmit stage with correct destination IP) on your comment re: overlay routing, why did they put the feature command in there if they havent got it working yet? /logic 😕
... View more
12-16-2020
08:18 PM
We are using a nat gateway. outbound works just fine until you apply NAT of any sort. just trying to apply any sort of NAT to change the direction of the traffic breaks it. so if i put a nat rule that traffic to 1.1.1.1 gets d-nat to 8.8.8.8, the traffic never exits the firewall. key use for this was for inbound traffic, redirecting inbound traffic to the correct ALB that lives in another vpc, the traffic seems to get dropped at the firewall, even though pcaps show it *thinks* it is being forwarded on, its not.
... View more
12-10-2020
09:23 PM
1 Kudo
Hi All Has anyone else had a play with the GWLB on AWS? I know it must be PAN-OS 10.0.2 or higher to work, I have tested with multiple instances, As a bump in the wire it works fine. until you apply NAT, then it doesn't work at all for any traffic that is NAT'd. I have an open TAC for this, they are replicating the fault to work it out but surely this was all tested before it went public. I also found overlay routing breaks traffic flow. its not documented anywhere that I could find but what I found was it processes the GENEVE traffic in the virtual router where without it, is just an in-return non routed flow. If you've tinkered with it and actually got inbound/outbound NAT and/or overlay routing to function, please let me know what you did. sadly the documentation just doesnt provide any decent clarity for this feature. Also extremely disappointed they havent integrated this into version 9.1. I am hopeful they will add it with 9.1.7 in a functional state as I am not planning to move my clients to 10.0 until the list of known issues is about 1/4 its current size.
... View more
07-22-2020
08:08 PM
Got there in the end. Had to butcher the Palo github python scripts (also clean a LOT of the errors and inconsistencies in there. that code realllly needs reviewing and error checking) removed anything referencing nlb/alb and it worked fine from there. Also had to add some steps in for firewall initilisation, as the 9.1.3 images im using are failing the panorama auto commit (saying loopback.1 has no VR configured, must be a problem in panorama pushed template?) so had to create a loop to look for that and revert configuration, update the masterkey (because the templates have no consideration for following best practices?) and then force template values in a template-stack commit from panorama before pushing the shared policies. Will document all the changes and submit to the repo in a fault ticket for the owners to fix.
... View more
07-16-2020
07:37 PM
I've read the doccos on the current versions of AWS autoscale and they all seem very convoluted and create new applications and load balancers. What I am trying to achieve is to just scale the firewalls only and add to existing target groups and have Panorama push the configuration down. I know that version 2.1 does this but it looks as though its pre compiled lambda scripts do everything, so what bits do I need to remove in order to take it down to just scale the firewall without the backend applications (they are managed separately behind internal loadbalancers) This seems like it *shouldn't* be that hard but its proving nightmarish. the AWS autoscale groups won't allow the launch template to have multiple network interfaces so that screws the first bit. no worries, that can be handled with a lambda function right? just need to trigger it with the scale out and scale in events of the autoscale group. Has anyone done this method? successfully? surely i'm not the first person to want to do this implementation strategy any insight would be great. Craig
... View more
- Tags:
- autoscaling
- aws
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-16-2021
01:47 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks