This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jmeurer
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jmeurer
02-08-2021
104Posts
24Likes
15Solutions
Feb 08, 2021Last Visited
User
Activity
User
Profile
Latest posts by jmeurer
| Subject | Views | Posted |
|---|---|---|
| 3615 | 02-08-2021 10:08 AM | |
| 3929 | 02-08-2021 08:07 AM | |
| 1821 | 01-22-2021 05:04 AM | |
| 8232 | 12-17-2020 02:13 PM | |
| 8487 | 12-17-2020 09:52 AM | |
| 8629 | 12-11-2020 04:57 AM | |
| 4718 | 11-23-2020 01:10 PM | |
| 1373 | 09-24-2020 08:37 AM | |
| 3451 | 09-22-2020 04:38 AM | |
| 3480 | 09-21-2020 05:41 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-11-2020 05:36 AM | |
| 1 Like | 07-28-2020 10:39 AM | |
| 1 Like | 06-23-2020 06:36 PM | |
| 1 Like | 11-13-2019 01:49 PM | |
| 1 Like | 07-09-2020 07:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 08-07-2017 11:11 AM |
| Date Last Visited | 02-08-2021 01:29 PM |
| Posts | 104 |
| Total Likes Received | 24 |
02-08-2021
10:08 AM
It had not been committed to a version yet. You should reach out to your SE to track the progress internally.
... View more
02-08-2021
08:07 AM
At this time, GWLB deployments do not support routing outside of the GENEVE interface. The traffic must hairpin back to the GWLB. Also, there is a known issue with GP not working on a GWLB enabled firewall that will be resolved in a future release.
... View more
01-22-2021
05:04 AM
You have two options. You can either use BGP to prepend the routes from one of the firewalls to create essentially an Active/Passive routing hierarchy or use SNAT. The former is generally preferred. We have this documented in our AWS Reference Architecture here. https://www.paloaltonetworks.com/resources/reference-architectures/aws
... View more
12-17-2020
02:13 PM
At this point, I would suggest you reach out to your Account Team to engage with one of the Consulting Engineers to discuss over zoom and whiteboard. There is only so much we can accomplish in the message board and a further understanding of your flows is warranted.
... View more
12-17-2020
09:52 AM
Inbound requires ingress routing to use the GWLB without SNAT. You can do that within the application vpc using a public-facing LB in front of the application. Or if you want to have a dedicated inbound VPC, you use the same design as above but move your pool members across the TGW. If you prefer the traditional Load Balancer sandwich design where the firewalls are pool members of the front door LB and you are going to SNAT/DNAT to the application, you would either use a dedicated set of firewalls or add new Untrust and Trust interfaces to the firewall as ETH3/4 and use those for ingress outside of the GWLB. This is necessary as the GWLB traffic must hairpin inside of the Geneve tunnel, you cannot insert flows into the tunnel from another interface.
... View more
12-11-2020
04:57 AM
As of this time, break out routing is not supported. The traffic must stay in the Geneve tunnel. In reading this, it appears you are addressing the outbound use case. In that traffic flow, the NatGW must be used as the next hop beyond the GWLBe as depicted in this flow.
... View more
11-23-2020
01:10 PM
You are correct, the VM-100 will only utilize 2 vCPU for data plane.
... View more
09-24-2020
08:37 AM
Sounds like your endpoint is missing the resource policy to allow the instances to connect. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-set-up-resource-policy
... View more
09-22-2020
04:38 AM
DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2. Looks like your vpc is 172.16 but you set your dns server to 172.31.
... View more
09-21-2020
05:41 AM
Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.
... View more
09-21-2020
05:27 AM
is that screen shot through the firewall, or direct from a test client?
... View more
09-19-2020
06:13 AM
Good news. Message forbidden could be a result of a iam policy on the gateway. You may need to assign a role to firewall so that it has permission to access the gateway. It could also just be a formatting error in the api call. if you deployed a bastion host into the firewall subnet, does it have the same response?
... View more
09-16-2020
07:22 AM
Watch your security groups on the endpoint. Also, check the firewall to ensure the Virtual Router has routes to the endpoint subnets. Have you tried deploying a bastion into the Trust side subnet to test the endpoint directly? We need to determine if the issue is the firewall routing or the endpoint itself.
... View more
09-11-2020
07:02 AM
Assuming your IP specified it the Untrust IP and Eth1/2 is your Trust side interface, your NAT rule translated tab should look like this. This indicates that we are sending the traffic on to the API Endpoint and setting the source IP to be the internal interface of the firewall so that they endpoint knows where to respond to.
... View more
09-11-2020
05:36 AM
1 Kudo
You may see a nominal performance increase by running the bigger instance size due some of the underlying AWS hashing to hardware. The increase will be no where close to the performance of running a VM-300 on the same instance types.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-08-2021
01:29 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks