About jmeurer

It had not been committed to a version yet.  You should reach out to your SE to track the progress internally. ... View more

At this time, GWLB deployments do not support routing outside of the GENEVE interface.  The traffic must hairpin back to the GWLB.   Also, there is a known issue with GP not working on a GWLB enabled firewall that will be resolved in a future release.   ... View more

You have two options.  You can either use BGP to prepend the routes from one of the firewalls to create essentially an Active/Passive routing hierarchy or use SNAT.  The former is generally preferred.  We have this documented in our AWS Reference Architecture here.   https://www.paloaltonetworks.com/resources/reference-architectures/aws   ... View more

At this point, I would suggest you reach out to your Account Team to engage with one of the Consulting Engineers to discuss over zoom and whiteboard.  There is only so much we can accomplish in the message board and a further understanding of your flows is warranted. ... View more

Inbound requires ingress routing to use the GWLB without SNAT.  You can do that within the application vpc using a public-facing LB in front of the application. Or if you want to have a dedicated inbound VPC, you use the same design as above but move your pool members across the TGW. If you prefer the traditional Load Balancer sandwich design where the firewalls are pool members of the front door LB and you are going to SNAT/DNAT to the application, you would either use a dedicated set of firewalls or add new Untrust and Trust interfaces to the firewall as ETH3/4 and use those for ingress outside of the GWLB.  This is necessary as the GWLB traffic must hairpin inside of the Geneve tunnel, you cannot insert flows into the tunnel from another interface.   ... View more

As of this time, break out routing is not supported.  The traffic must stay in the Geneve tunnel.  In reading this, it appears you are addressing the outbound use case.  In that traffic flow, the NatGW must be used as the next hop beyond the GWLBe as depicted in this flow.       ... View more

You are correct, the VM-100 will only utilize 2 vCPU for data plane. ... View more

Sounds like your endpoint is missing the resource policy to allow the instances to connect.   https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-set-up-resource-policy   ... View more

DNS server is the generally second IP of the VPC cidr. Ie, if your vpc is 172.16.0.0/16, dns is 172.16.0.2.  Looks like your vpc is 172.16 but you set your dns server to 172.31.   ... View more

Test it direct to the endpoint from an instance in the same subnet as the trust side of the firewall.   ... View more

is that screen shot through the firewall, or direct from a test client?   ... View more

Good news.  Message forbidden could be a result of a iam policy on the gateway.  You may need to assign a role to firewall so that it has permission to access the gateway.  It could also just be a formatting error in the api call.   if you deployed a bastion host into the firewall subnet, does it have the same response? ... View more

Watch your security groups on the endpoint.  Also, check the firewall to ensure the Virtual Router has routes to the endpoint subnets. Have you tried deploying a bastion into the Trust side subnet to test the endpoint directly?  We need to determine if the issue is the firewall routing or the endpoint itself. ... View more

Assuming your IP specified it the Untrust IP and Eth1/2 is your Trust side interface, your NAT rule translated tab should look like this.  This indicates that we are sending the traffic on to the API Endpoint and setting the source IP to be the internal interface of the firewall so that they endpoint knows where to respond to.     ... View more

You may see a nominal performance increase by running the bigger instance size due some of the underlying AWS hashing to hardware.  The increase will be no where close to the performance of running a VM-300 on the same instance types.    ... View more