Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About jmeurer
About jmeurer
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
yesterday
100Posts
24Likes
15Solutions
Jan 22, 2021Last Visited
User
Activity
User
Profile
Latest posts by jmeurer
| Subject | Views | Posted |
|---|---|---|
| 30 | yesterday | |
| 531 | 12-17-2020 02:13 PM | |
| 560 | 12-17-2020 09:52 AM | |
| 702 | 12-11-2020 04:57 AM | |
| 771 | 11-23-2020 01:10 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 09-11-2020 05:36 AM | |
| 1 | 07-28-2020 10:39 AM | |
| 1 | 06-23-2020 06:36 PM | |
| 1 | 11-13-2019 01:49 PM | |
| 1 | 07-09-2020 07:03 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 08-07-2017 11:11 AM |
| Date Last Visited | yesterday |
| Total Messages Posted | 102 |
| Total Likes Received | 24 |
yesterday
You have two options. You can either use BGP to prepend the routes from one of the firewalls to create essentially an Active/Passive routing hierarchy or use SNAT. The former is generally preferred. We have this documented in our AWS Reference Architecture here. https://www.paloaltonetworks.com/resources/reference-architectures/aws
... View more
12-17-2020
02:13 PM
At this point, I would suggest you reach out to your Account Team to engage with one of the Consulting Engineers to discuss over zoom and whiteboard. There is only so much we can accomplish in the message board and a further understanding of your flows is warranted.
... View more
12-17-2020
09:52 AM
Inbound requires ingress routing to use the GWLB without SNAT. You can do that within the application vpc using a public-facing LB in front of the application. Or if you want to have a dedicated inbound VPC, you use the same design as above but move your pool members across the TGW. If you prefer the traditional Load Balancer sandwich design where the firewalls are pool members of the front door LB and you are going to SNAT/DNAT to the application, you would either use a dedicated set of firewalls or add new Untrust and Trust interfaces to the firewall as ETH3/4 and use those for ingress outside of the GWLB. This is necessary as the GWLB traffic must hairpin inside of the Geneve tunnel, you cannot insert flows into the tunnel from another interface.
... View more
12-11-2020
04:57 AM
As of this time, break out routing is not supported. The traffic must stay in the Geneve tunnel. In reading this, it appears you are addressing the outbound use case. In that traffic flow, the NatGW must be used as the next hop beyond the GWLBe as depicted in this flow.
... View more
11-23-2020
01:10 PM
You are correct, the VM-100 will only utilize 2 vCPU for data plane.
... View more
09-24-2020
08:37 AM
Sounds like your endpoint is missing the resource policy to allow the instances to connect. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-set-up-resource-policy
... View more
09-22-2020
04:38 AM
DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2. Looks like your vpc is 172.16 but you set your dns server to 172.31.
... View more
09-21-2020
05:41 AM
Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.
... View more
09-21-2020
05:27 AM
is that screen shot through the firewall, or direct from a test client?
... View more
09-19-2020
06:13 AM
Good news. Message forbidden could be a result of a iam policy on the gateway. You may need to assign a role to firewall so that it has permission to access the gateway. It could also just be a formatting error in the api call. if you deployed a bastion host into the firewall subnet, does it have the same response?
... View more
09-16-2020
07:22 AM
Watch your security groups on the endpoint. Also, check the firewall to ensure the Virtual Router has routes to the endpoint subnets. Have you tried deploying a bastion into the Trust side subnet to test the endpoint directly? We need to determine if the issue is the firewall routing or the endpoint itself.
... View more
09-11-2020
07:02 AM
Assuming your IP specified it the Untrust IP and Eth1/2 is your Trust side interface, your NAT rule translated tab should look like this. This indicates that we are sending the traffic on to the API Endpoint and setting the source IP to be the internal interface of the firewall so that they endpoint knows where to respond to.
... View more
09-11-2020
05:36 AM
1 Kudo
You may see a nominal performance increase by running the bigger instance size due some of the underlying AWS hashing to hardware. The increase will be no where close to the performance of running a VM-300 on the same instance types.
... View more
09-10-2020
11:07 AM
That SNAT flow does not sound correct. The NAT rule that Destination Nats the traffic to Endpoint, should also have source translation set to the internal interface. Would you mind posting screen shots of the nat rule.
... View more
09-10-2020
09:29 AM
Did you add a source translation to the NAT rule with the firewall's interface address? Otherwise the endpoint will try to respond directly to the original client IP. If you spin up a bastion host in the VPC, can you access the end point? It could an SG on the endpoint not allowing the traffic in.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
