We are looking to deploy the virtual firewalls in AWS in an autoscaling group and plan to build the AWS infrastructure (GLB, subnets, routing tables etc using terraform).
The lambda scripts with the Cloud formation template are extensive (3500 lines of code) to monitor for firewalls being added/removed as part of a scaling event and update Panorama etc.
Is the only way to deploy to use the Cloud formation template or can we decouple the lambda/python scripts (init.py, sched1.py and sched2.py) and plumb it in to our environment that's been built with terraform?
It looks like a lot of work to build the scripts from scratch as they do a lot of work. Has anyone solved this issue or done something similar?
Would really appreciate any advice anyone may have.
Thanks in advance!
We have an update coming to the ASG scripting in the next week or two that greatly simplifies the scripting. Now with that said, there are few functions performed by the scripts, and here are some ways around them.
1. AWS had a limitation with Launch Templates that limited the instance to one interface. A large portion of the code adds the second interface after boot. That limitation no longer exists but you a forced to run mgmt and data plane in the same subnet. If you properly configure your security groups, this is not a risk as you just need 0/0 pointing to a NatGw and RFC 1918 pointing at the TGW in that subnet.
2. The scripting also handles delicensing and removal from Panorama. We have a licensing plugin that can handle those tasks for you. https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!