I ran the two-tier-sample CFT. It deployed the PAN successfully, GUI came up, configurable, logs, everything. But I noticed the applications for web and DB didn't work. I logged into the web server it appears nothing was running. There's a lot of configs happening in User Data, but it doesn't look like anything loaded. Same with DB. MySQL wasn't running after all said and done.

The latest AMI on aws is 9.0.3.xfr - the panos terraform provider (or perhaps terraform in general) is not expecting alphabetical characters in the version 9.0.3.xfr in the os version, so will immediately fail on terraform state refresh.

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
 
Error: Error refreshing state: 1 error(s) occurred:
 
* provider.panos: Error parsing version 9.0.3.xfr: Improperly formatted version: 9.0.3.xfr

To re-produce simply attempt to use terraform on the latest AMI.

Thanks, tried the CF template and had to rollback due to wrong AMI-ID. Not sure for all region but the one I tried is us-west-2 [oregon] .. after chaging the AMI ID it worked

From AWS market place-VM-Series Next-Generation Firewall Bundle 2, AMI ID for oregon is below:

US West (Oregon) | ami-d28992ab
But CF template refers:

"us-west-2" : { "AMI": "ami-e614af86"}

Thanks.
KASI

Hello, is there a timeline to have VM-series AMIs available in Cape Town Region ?
https://aws.amazon.com/marketplace/pp/B083LH64T3

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Current score: 35
Target threshold: 100
Total possible: 110

Hi,

I'm wondering why the ext GW IP addr. in the portal config is set to 52.200.14.80 ?
How this IP is related to real EIP of newly deployed gateways?

Regards,
RW

Thanks this is very useful!
How/where do I change the image to "VM-Series Next-Generation Firewall (BYOL)" instead of "VM-Series Next Generation Firewall Bundle 2"?
Thanks.

Hey there,

The CloudFormation template you currently have posted for GlobalProtect is not up to date. There are three variables that need to change:

All the mappings to EC2 AMIs need to be changed to the proper AMI

Before:
"us-west-2" : { "AMI": "ami-e4be4b84" },
"eu-west-1" : { "AMI": "ami-5d92132e"},
"us-east-1" : { "AMI": "ami-7dcb9906" },
"eu-central-1" : { "AMI": "ami-8be001e4"},
"ap-northeast-1" : { "AMI": "ami-b84b5ad6"},
"ap-southeast-1" : { "AMI": "ami-946da7f7"},
"ap-southeast-2" : { "AMI": "ami-d7c6e5b4"}

After:
"us-west-2" : { "AMI": "ami-d28992ab" },
"eu-west-1" : { "AMI": "ami-0f88a16f"},
"us-east-1" : { "AMI": "ami-7dcb9906" },
"eu-central-1" : { "AMI": "ami-0f08b76b"},
"ap-northeast-1" : { "AMI": "ami-ab04e7cd"},
"ap-southeast-1" : { "AMI": "ami-1897057b"},
"ap-southeast-2" : { "AMI": "ami-8ed3cced"}

Instance Type "c" is no longed available for Palo Alto's EC2 instances and has been changed to "m"

Before: "InstanceType" : "c4.xlarge"
After: "InstanceType" : "m4.xlarge"

The volume size will fail at 40gb so I would increase it to 80gb

Before: "VolumeSize" : "40"
After: "VolumeSize" : "80"

I have also listed the updated JSON file within the issue/solution thread.

• Matt Lubbers
  gp-asg.txt

Hey PAN,

Are the only things you need permissions to are as follows?

• s3:GetObject
• S3:PutInventoryConfig
• s3:GetBucketAcl
• s3:GetBucketpolicy
• s3:GetBucketLocation

I made this table to see if this is also true for PCA Permissions:

I really appreciate it! Thank you for all the help.

Cheers,
Montana Mendy.

What is the purpose of the panupv2-all-contents-695-4002 file? What does it contain?

Documentation link

Cloudformation template

Describe the problem

I created the stack but it rolled back due to the error "CREATE FAILED - API: ec2:Runinstances Not authorized for images: [ami-7dcb9906]".

Suggested fix

The cloudformation template does complete with no error but the bootstrap.xml does not get updated. I noticed in the userdata under the 'FWInstance' resource only identifies the bootstrap bucket but does not go any further than that.

Bottom of page 14 has link to panupv2-all-contents-600-3449 which results in 404 Not Found. File name is also referenced and shown in screenshot both on page 16. Needs update to panupv2-all-contents-695-4002, or create a latest symlink to avoid this issue in the future.

Hello Narayan
I have been doing some tests with PANOS 8.0, but for some reasons lambda is failing to update the portal with gateway address. When I looked at the logs at cloudwatch, I can see the Portal is not responding to api calls:

23:15:41
[INFO] 2017-05-31T23:15:41.36Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: No response from FW. So maybe not up!
23:15:41
[INFO] 2017-05-31T23:15:41.36Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO] FW is not up...yet
23:15:41
[INFO] 2017-05-31T23:15:41.36Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: 2 or more minutes left in lambda function. So will check again in 30s
23:16:11
[INFO] 2017-05-31T23:16:11.59Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: Sending command: https://52.53.60.56/api/?type=op&cmd=1&key=LUFRPT11dEtJM0tPTzVHMnJhelpHUzVDN2k5clpTd0E9TUdXZUpoeG5LOVJXemxuVGZ6VGtKdWNlckU2d2RoK2U2RGRxVU1Oc3VJaz0=
23:16:16
[INFO] 2017-05-31T23:16:16.65Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: No response from FW. So maybe not up!
23:16:16
[INFO] 2017-05-31T23:16:16.65Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO] FW is not up...yet
23:16:16
[INFO] 2017-05-31T23:16:16.65Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: 2 or more minutes left in lambda function. So will check again in 30s
23:16:46
[INFO] 2017-05-31T23:16:46.95Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: Sending command: https://52.53.60.56/api/?type=op&cmd=1&key=LUFRPT11dEtJM0tPTzVHMnJhelpHUzVDN2k5clpTd0E9TUdXZUpoeG5LOVJXemxuVGZ6VGtKdWNlckU2d2RoK2U2RGRxVU1Oc3VJaz0=
23:16:51
[INFO] 2017-05-31T23:16:51.101Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO]: No response from FW. So maybe not up!
23:16:51
[INFO] 2017-05-31T23:16:51.101Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO] FW is not up...yet
23:16:51
[INFO] 2017-05-31T23:16:51.101Z c8af41c8-4656-11e7-9ee6-171ce05b1d29 [INFO] have less than two minutes so call self

I was not able to find out why the API is failing, but tried to run the same API from my laptop and i got a response:

curl -k -g "https://172.16.1.21/api/?type=op&cmd=1&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"
2017/05/31 15:47:2715:47:271AutoComFINNOnoOK15:47:420100

Prisma credentials not configured properly. Please reinstall and complete the configuration.

Hi,

I am using your two tier sample and have noticed that any requests to AWS services from the Web instances are granted the instance profile associated with the Firewall instance. I think this might be because requests to 169.254.169.254 are being routed through the Firewall, when infact they should never leave the instance making the request.

I assume the normal route for these requests is being overwritten when the Firewall is added as a router during startup.

Can you offer any advice on fixing the user data script or changing the config in the Firewall so that these examples don't break normal use of AWS services?

Thanks.

Just tried using this with 8.1 and would not accept the documented admin password.