We've deployed VM-Series into AWS INSPECTION VPC implementing the documented approach around use of a Gateway Load Balancer (GWLB) as an Endpoint Service then Endpoints in APPLICATION VPC so that inspection can be achieved when North/South traffic enters the application VPC and is routed to inspection layer as expected, so from an intended use perspective the PA's are doing their job. Though one key issue we have not been able to resolve is the GWLB target group has all the PA's as unhealthy, and no amount of changing interfaces and GWLB plugins has been able to resolve this issue, this approach on an ongoing basis is operationally bad. One method we've been able to resolve this is by using target groups that target IP rather than INSTANCE and targeting the Management interface, this then comes up as healthy as expected.
Now this approach isn't ideal as we now need to write lambda's to manage auto scaling events etc, which is more effort when ideally the GWLB should be able to pick up the health check when an instance based target group is used.
My question is, has anyone encountered this issue and been able to resolve it without having to use IP based target groups?
Hi @sthornton73 ,
Hope you have found solution for your problem if not or for anyone else that is interested:
GWLB always use the first interface if the associated instance when targte group is defined to use target type of instance. While PAN firewall NVA (network virtual appliance) is aways using the first interface for management and the rest for dataplane. You have two ways to solve this:
- In PanOS 10.0 (if I am not wrong) was intruduced command that can swap mgmt and first dataplane interface under PanOS. That way you need to attach the dataplane interface first to the instance the mgmt network as second ENI. Detailed information could be found here - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-o...
- Second solution is to use "IP" as target type for the target group and reference the firewalls by the IP address of the dataplane interface. This way you can keep the mgmt as first interface and dataplane as second.
Either way you still need to configure GWLB health check for HTTPS over port 443 and on the firewall to attach interface management profile allowing HTTPS to the dateplane interface
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!