This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jmeurer
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jmeurer
03-22-2023
21Posts
2Likes
4Solutions
Mar 22, 2023Last Visited
User
Activity
User
Profile
Latest posts by jmeurer
| Subject | Views | Posted |
|---|---|---|
| 4982 | 07-27-2021 08:03 PM | |
| 3708 | 07-20-2021 08:52 AM | |
| 1979 | 07-19-2021 01:04 PM | |
| 3888 | 06-22-2021 10:24 AM | |
| 3975 | 06-17-2021 10:53 AM | |
| 1523 | 05-21-2021 08:43 AM | |
| 2262 | 05-14-2021 05:57 AM | |
| 4550 | 05-14-2021 05:52 AM | |
| 3585 | 05-13-2021 12:01 PM | |
| 4744 | 05-13-2021 11:56 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-13-2021 12:01 PM | |
| 1 Like | 05-13-2021 11:56 AM |
User Badges
Community Statistics
| Member Since | 02-25-2021 07:17 AM |
| Date Last Visited | 03-22-2023 08:25 AM |
| Posts | 21 |
| Total Likes Received | 2 |
07-27-2021
08:03 PM
The issue is that the firewall is using the last IP in the list and not the first. Please open a TAC case to push the fix through to engineering.
... View more
07-20-2021
08:52 AM
Make sure your SNAT rule is set with the original packet set to the untrust private IP and not the EIP. AWS SNATs on the way in and firewall sees the packet after the EIP translation. Also, ensure both interfaces are added to the VR.
... View more
Today, Palo Alto Networks is excited to announce support for EC2 Auto Scaling Warm Pools . Warm Pools can reduce the in-service time for VM-Series firewalls by up to 80 percent by staging instances in a stopped state after the bootstrapping process. When an Auto Scaling action triggers a scaling event, the warmed instance is simply started from the already staged warm state. This staging is made possible by adding new lifecycle actions to trigger automation which validates the readiness of an instance.
Here’s why this is important: For more than four years, Palo Alto Networks customers have been using VM-Series Next Generation Firewalls (NGFWs) with Amazon's EC2 Auto Scaling to create scalable and robust network security on AWS. Auto Scaling in AWS solves three major challenges:
Right-sizing capacity based on demand
Resiliency across Availability Zones
Self-healing unhealthy instances
Enhancing VM-Series Auto Scaling in AWS
While VM-Series and EC2 Auto Scale provide several benefits for our customers, there is still some unavoidable latency with the VM-Series NGFW bootstrap process. As an Auto Scaling Group begins to scale out new EC2 instances running PAN-OS, the initial boot process of the new instance(s) can take several minutes. Many customers have historically worked around this by over-provisioning NGFW instances on AWS; however, this leads to increased costs and wasted compute.
Key benefits of Warm Pools:
Reduces EC2 cost by keeping the warmed instance in a stopped state. Cost is reduced to just the EBS storage cost.
Dramatically reduces the time necessary for a firewall to become available to the load balance.
Provides dedicated lifecycle actions which can occur when an instance is built or moved from warm to running, including integrations with Amazon EventBridge and Amazon CloudWatch.
Figure 1: Lifecycle Hook Flow Diagram
Figure 1: Lifecycle Hook Flow Diagram
Licensing Considerations
Warms Pools works with both PayGo and our flexible consumption licensing model . When utilizing PayGo, no additional costs are incurred, as the firewall will not incur EC2 usage charges. Additional licenses will be consumed by the stopped firewalls when utilizing BYOL/FW-Flex.
To learn more, we encourage you to follow these links:
EC2 Auto Scaling Warm Pools
VM-Series in AWS Marketplace
GitHub repository with sample VM-Series configuration for Warm Pools
VM-Series with Gateway Load Balancer
Palo Alto Networks VM-Series Reference Architecture for AWS
Learn more about VM-Series
... View more
Labels:
06-22-2021
10:24 AM
Circling back to this. I recently posted the simplified autoscaling template that I mentioned. https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools
... View more
06-17-2021
10:53 AM
We have an update coming to the ASG scripting in the next week or two that greatly simplifies the scripting. Now with that said, there are few functions performed by the scripts, and here are some ways around them. 1. AWS had a limitation with Launch Templates that limited the instance to one interface. A large portion of the code adds the second interface after boot. That limitation no longer exists but you a forced to run mgmt and data plane in the same subnet. If you properly configure your security groups, this is not a risk as you just need 0/0 pointing to a NatGw and RFC 1918 pointing at the TGW in that subnet. 2. The scripting also handles delicensing and removal from Panorama. We have a licensing plugin that can handle those tasks for you. https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management
... View more
05-21-2021
08:43 AM
If the public IP is set on the Panorama side, you can try this. Otherwise, you will need to contact TAC as the Public IP is the preferred IP that it should be using. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UpdCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
... View more
05-14-2021
05:57 AM
Panorama has the ability to export to SCP. You would need to run a sidecar box that accepts the SCP transfer and subsequently moves the data to S3. https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/administer-panorama/manage-panorama-and-firewall-configuration-backups/schedule-export-of-configuration-files.html
... View more
05-14-2021
05:52 AM
It shouldn’t be a problem but I would snapshot it first. You may also want to consider leaving it an M5, better performance and you should compare the per hour running cost, it could be cheaper.
... View more
05-13-2021
12:01 PM
1 Kudo
You need a sidecar to move the data to S3. It is documented here. Rather than moving through to Lambda, you would use CloudWatch or Kinises to send the data to S3. https://aws.amazon.com/blogs/apn/monitoring-your-palo-alto-networks-vm-series-firewall-with-a-syslog-sidecar/
... View more
05-13-2021
11:56 AM
1 Kudo
As long as you know the user name and password, EC2 Serial Console works with Panorama. I just realized that you mention m4 instance type. Serial console only works with Nitro based instance. If you are running 9.0 or greater, you can shutdown the instance and convert it to an m5. Ideally is better to control access to instances with Security Group and NACLs rather than within the PANOS config. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-serial-console.html
... View more
05-10-2021
11:31 AM
Have you enabled Appliance mode on the TGW Attachment and cross-zone load balancing on the GWLB? Interface swap is not required but recommended when using automation script or autoscaling.
... View more
04-29-2021
06:49 AM
At the time of this posting, the ALB does not care about mismatched certs so you could actually use a self-signed cert on the firewall.
... View more
04-28-2021
05:28 AM
Yes, you can decrypt on the ALB to perform any URI-based policy or insert the XFF. You can choose to keep the traffic decrypted behind the ALB and the firewall will see the clear text traffic or reencrypt on the ALB and use inbound SSL decryption. Typically you would use the same cert for the ALB, backend, and firewall. At the time of this posting, the ALB does not care about mismatched certs so you could actually use a self-signed cert on the firewall.
... View more
04-28-2021
05:23 AM
It's due to the return path routing. If you were using a single firewall or an HA pair, you would need to have your 0/0 route pointing back to the firewall to maintain symmetry. Typically, it is recommended to use an App Gateway in front of the firewalls which can insert the XFF header if the traffic is HTTP.
... View more
04-13-2021
09:12 AM
What subnets are your LB and back in? The route that I question is the /22 on only one of the firewalls. If you have backend traffic that is not in the same subnet as an interface, you could be routing it out Eth1/1 but snatting it to Eth1/2. That will cause a timeout. On the flip side, you have a 10/8 route via eth1/2, this is going to prevent your LB health checks from return to the cross zone subnet via eth1/1. You should have 0/0 via eth1/1 and static route for the NLB subnets also via eth1/1. You can then use the 10.8 route to get to all other subnets via eth1/2.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-22-2023
08:25 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks