- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-16-2021 09:32 AM
Hi everyone,
We are looking to deploy the virtual firewalls in AWS in an autoscaling group and plan to build the AWS infrastructure (GLB, subnets, routing tables etc using terraform).
The lambda scripts with the Cloud formation template are extensive (3500 lines of code) to monitor for firewalls being added/removed as part of a scaling event and update Panorama etc.
Is the only way to deploy to use the Cloud formation template or can we decouple the lambda/python scripts (init.py, sched1.py and sched2.py) and plumb it in to our environment that's been built with terraform?
It looks like a lot of work to build the scripts from scratch as they do a lot of work. Has anyone solved this issue or done something similar?
Would really appreciate any advice anyone may have.
Thanks in advance!
06-17-2021 10:53 AM
We have an update coming to the ASG scripting in the next week or two that greatly simplifies the scripting. Now with that said, there are few functions performed by the scripts, and here are some ways around them.
1. AWS had a limitation with Launch Templates that limited the instance to one interface. A large portion of the code adds the second interface after boot. That limitation no longer exists but you a forced to run mgmt and data plane in the same subnet. If you properly configure your security groups, this is not a risk as you just need 0/0 pointing to a NatGw and RFC 1918 pointing at the TGW in that subnet.
2. The scripting also handles delicensing and removal from Panorama. We have a licensing plugin that can handle those tasks for you. https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
06-20-2021 01:32 PM
That is really helpful, thanks for such a quick reply. Much appreciated
06-22-2021 10:24 AM
Circling back to this. I recently posted the simplified autoscaling template that I mentioned.
https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools
06-26-2021 10:38 AM
Tony, I am working on a similar project. I am curious why not use the vm-series plugin (instead of terraform) to deploy the security dmz?
06-30-2021 01:17 PM
We can use terraform for the supporting infrastructure but it’s the ASG that’s the challenge and all the associated lambda scripts. Needs to plumb in to the cloud formation infrastructure to work properly
06-30-2021 01:19 PM
This is brilliant, thank you. Really helpful. We are trying version 3.0 first which all seems to work but never registers as a managed firewall in panorama. Will do some more digging. Thanks for your help. Keep up the good work!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!