This repository contains CFT and TF templates for deploying VM-Series Firewalls behind AWS Gateway Load Balancer
License: MIT License
This repository contains CFT and TF templates for deploying VM-Series Firewalls behind AWS Gateway Load Balancer.
All the Palo documentation for GWLB is for using a firewall with a single dataplane NIC.
There are no examples for firewalls in the internet gateway deployment (untrust NIC in Eth0, trust nic in Eth2)
Please provide examples of how this would be deployed in the above scenario.
Update CFT templates and panw-aws.zip to support Python 3.9 due to AWS removing support for Python 3.6
Update CFT templates and panw-aws.zip to support Python 3.9 due to AWS removing support for Python 3.6
None
Update CFT templates and panw-aws.zip to support Python 3.9 due to AWS removing support for Python 3.6
As per document "before launching the templates"
obtain the auth code for a bundle that supports the number of firewalls that might be required for your deployment.
Does this means this works only for BYOL or am I misunderstanding, want to test for usage based.
STEP 8 |Specify the keys for enabling API access to the firewall and Panorama.
May please some help.
For 1.
This is which key ,the key we create inside panorama for user pandemo/demopassword ?
for2.
The same key which we create inside panorama for user pandemo/demopassword ?
key i am creating is like below once user is defined inside panorama
curl -k -X GET 'https://x.x.x.x.x/api/?type=keygen&user=pandemo&password=demopassword'
LUFRPT1OWkpUYmxNME5hU25teE9KbkhUMzk2NnBRVUE9N0d4RGpTN2VZaVZYMVVoS253U0p6dWd3K1FSTW5rSUtuVXFsNWt1exxxxxxxxx==/ #
for step1 if I use the default key in template I get error like (cloudwatch logs /aws/lambda/xxxxxx-Init_lambda-lambda-sched-event)
[ERROR] 2021-05-11T16:08:45.672Z 1595434d-6be9-4ef6-952f-b5f933d96404 [RunCommand Response Fail]: HTTP Error 403: Invalid Credential
Failed to run command: https://x.x.x.x./api/?type=op&cmd=1&key=LUFRPT1Zd2pYUGpkMUNrVEZlb3hROEQyUm95dXNGRkU9N0d4RGpTN2VZaVZYMVVoS253U0p6dlk3MkM0SDFySEh2UUR4Y3hzK2g3ST0=
The terraform templates are great but it would be nice to have TF with autoscale. Currently the template just deploys a static set of firewalls across the listed az's
I would like to see a terraform script that would support an auto-scale group in AWS
none
Being able to scale while using GWLB would be a great solution using terraform
This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.
Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.
Click More info for instructions to fix each item.
| Health Check | Pass | Score | More Info |
|---|---|---|---|
| Contains a meaningful README.md file | ✅ | 20 / 20 | More info |
| SUPPORT.md file exists | ❌ | 0 / 20 | More info |
| Repo has a description | ✅ | 15 / 15 | More info |
| Has a recognized open source license | ✅ | 15 / 15 | More info |
| Has a descriptive repo name | ✅ | 15 / 15 | More info |
| Required topics attached to repo | ❌ | 0 / 15 | More info |
| CONTRIBUTING.md file with contribution guidelines | ❌ | 0 / 5 | More info |
| Has custom issue and pull request templates | ❌ | 0 / 5 | More info |
Current score: 65
Target threshold: 100
Total possible: 110
Hello,
I would like to use an S3 Interface Endpoint while serving the bootstrap files.
As S3 interface endpoints require special use I'm wondering if PA bootstrap method could or already does support such a requirement.
Use a map when using vmseries-bootstrap-aws-s3bucket which allows adding the endpoint URL.
I am trying to get panorama 10.0.2 or like that in AWS
AWS market place max supported is 9.1.9 .Checking if I am doing something wrong.
if I try community AMI say
Panorama-AWS-10.0.2-f264c750-1102-41c9-a14d-b54ea51780e4-ami-043b1436d961638fa.4 - ami-01f439875be1959cc
Panorama-AWS-10.0.2
fails saying not supported.
The requirement for GWLB to swap the mgmt interface doesn't work with this userdata template / init-cfg file
Bootstrap / userdata config should swap mgmt interface with eth1 in order to register with the load balancer target group
Firewall will deploy but without mgmt swap, so will never register until run manually
As per the PA documentation, either a space OR comma should be used, not both.
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer/integrate-the-vm-series-with-an-aws-gateway-load-balancer/manually-integrate-the-vm-series-with-a-gateway-load-balancer.html
Lines should be changed as follows:
/CFT_2_Firewalls/bootstrap/init-cfg.txt & /CFT_2_Firewalls/bootstrap/config/init-cfg.txt Line 13:
op-command-modes=jumbo-frame,mgmt-interface-swap
/CFT_2_Firewalls/SecurityVPC.yaml Line 995:
Deploy this template as is, the firewalls will not become healthy on the Target Group and running the manual command to check the interface
trying to use your below template as it is to test.
https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft%20with%20autoscale/app_stack
Only thing is I want to test setting up app stack in separate account and use transit GW setup in our security account.TGW is shared from security account using RAM and is visible inside my test account.
Deployment fails saying.
Transit Gateway tgw-0609xxx7 was deleted or does not exist. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidTransitGatewayID.NotFound; Request ID: 80918cdd-5f72-48eb-9200-335a73e6730d; Proxy: null)
shared TGW is visible in this account.
Hi,
I used https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/blob/main/CFT_2_Firewalls/SecurityVPC.yaml
and executed ,everything gets created without any error. But when I try to ssh to public IP of VM-Series Management not reachable.
Note: I have left blank "AWS S3 Bucket Name containing the VM-Series Bootstrap Information:"
I even added udp to check if i get ping request, but nothing...
niteen-test01-VMSeries-Management
| Type | Protocol | Port range | Source | Description - optional |
|---|---|---|---|---|
| SSH | TCP | 22 | 0.0.0.0/0 | – |
| All UDP | UDP | 0 - 65535 | 0.0.0.0/0 | – |
| HTTPS | TCP | 443 | 0.0.0.0/0 | – |
My stack completes without any issue but not getting registered inside panorama.
I have debug enabled
my cloudwatch /aws/lambda/xxxxxx-Init_lambda-lambda-sched-event shows below.
[ERROR] 2021-04-28T18:04:06.361Z 4303974a-4650-456e-92ea-b34935ea59f2 [RunCommand Response Fail]: HTTP Error 403: Invalid Credential
Failed to run command: https://10.xxx.xx.5/api/?type=op&cmd=1&key=LUFRPT1Zd2pYUGpkMUNrVEZlb3hROEQyUm95dXNGRkU9N0d4RGpTN2VZaVZYMVVoS253U0p6dlk3MkM0SDFySEh2UUR4Y3hzK2g3ST0=
any idea what wrong I am doing?
Cloudformation stack, app.zip and panw-aws.zip Python code needs the runtime to be updated to greater than 3.6 due to AWS's planned EOL of 3.6.
Update to the latest version supported of python 3.X supported by AWS's Lambda.
Validation of lambda code on the new runtime is needed as it's currently untested.
Request:
I'm wondering if this repo could use native terraform provider AWS resources instead of just relying on an scripted API deployment.
When executing cft with autoscale, cft fails to create EIPs. Error provided is "Invalid value 'VPC' for domain." CFT rolls back.
EIPs are successfully created.
See above.
Current firewall-new-vpc-v3.0.template contains code similar to the following:
"EIP1" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "VPC"
},
"DependsOn": [ "VPC", "GatewayToInternet", "IGW" ]
},
Modify firewall-new-vpc-v3.0.template as follows:
"EIP1" : {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
},
"DependsOn": [ "VPC", "GatewayToInternet", "IGW" ]
},
Repeat these modifications for EIP1, EIP2, EIP3 and EIP4 definitions.
Deploy CFT as per instructions. The following will be the result:
Hi team,
Could we use the CFT AutoScaling template without Panorama?
If not, how could I obtain the evaluation license? Currently, I have 2 VM-100 evaluation licenses but I don't have Panorama
@salsop could you please help me with this?
Thanks in advance!
PA FWs are not included automatically in GWLB target group when they get up with template cft_simplifiedASG_with_warm_pools
The FWs should be added to Target Group of GWLB to be able to filter traffic. Without this GENEVE tunnel connection, the traffic can not reach the FW.
The PA FW are not included automatically to Target Group.
Deploy the cft_simplifiedASG_with_warm_pools template with more than 1 FW active in ASG and it's easy to see the new FW is not added to Target Group
The issue doesn't let to make the template works as expected without manual intervention. Without this feature, the deployment can not accomplish dynamic behavior the environment requests
https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/blob/main/terraform/topology.png
The diagram doesn't mention the route to APP VPC CIDRs on gwlbe-ob-rt
Add routes to APP VPC 1 and APP VPC 2 with next hop as tgw on gwlbe-ob-rt
Can't generate firewall's API key prior to deployment, but is required for Lambda API calls for Firewall status.
No bootstrap.xml being used due to Panorama supported bootstrapping.
How can you generate an API key for a firewall that is yet to be booted?
Field in question: KeyPANWFirewall
https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/terraform/README.md
I think add to Prerequisites that paloalto ami are needs IMDSv1.
instance are can't read user-data of the aws instance parameters when first boot if restricted only allowed IMDSv2
(for example, SCP of the AWS organization)
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
