We are trying to implement a zero trust environment inside our AWS cloud. We are using a transit gateway deployment, and have all traffic going through a secuirty vpc which houses a pair of PA-VM's. These firewalls are reached by the other VPC's through GWLB's. Because of this architecture when we are allowing inbound web traffic to our ALB's we actually create a rule using the private ip addresses of the ALB's. The issue is the dynamic nature of the ALB these internal IP's change periodically, which in turn invalidates our inbound rules. I have seen some workarounds using NLB, or through Global Accelerator. Neither of these however will keep the private ip of the ALB from changing. I was hoping to use the dynamic group function, but it seems to only be able to pull in EC2's, and not LB's. With zero trust being all the rage how is this not supported? What am I missing.
Hi @nelsonc0 ,
Hope you have managed to solve your problem if not, please check which version of AWS plugin for Panorama are you using.
According to the documentations version 3.0.0 have introduced the support for ALB, NLB and ENI monitoring - https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plug...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!