Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:vmseries:aws_gwlb [2022/07/11 15:03] – bstafford
+++ paloaltonetworks:vmseries:aws_gwlb [2023/01/16 13:45] (current) – [Routing] bstafford
@@ Line 1: / Line 1: @@
 ====== AWS Gateway Load Balancer ======
-Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login.
+Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login. (NOTE: I didn't see this issue on PAN-OS 10.2.3)
   * Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4
   * ami-0e7d693c0e72ad111
+===== AMI ====
+AWS CLI command to get AMI for PAN-OS 10.1.7 in region eu-west-1.
+<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json</code>
+Or, even better
+<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json | grep ImageId | awk -F "\"" '{print $4}'</code>
+because --query Images.ImageId didn't work.
+Values specifies BND1, BND2 or BYOL
+  * BND1 = e9yfvyj3uag5uo5j2hjikv74n
+  * BND2 = hd44w1chf26uv4p52cdynb2o
+  * BYOL = 6njl1pau431dv1qxipg63mvah
+===== VM AUTH PIN =====
+<code>vm-series-auto-registration-pin-id=
+vm-series-auto-registration-pin-value=</code>
+c5.12xlarge is more expensive but has 48vCPU and 96GB RAM.
 <code>request system system-mode panorama</code>
 <code>show system info | match system-mode</code>
@@ Line 58: / Line 75: @@
 Associate Attachments to Route Tables
-  * Edit 'security' transite gateway route table
+  * Edit 'security' transit gateway route table
     * Create association with the security VPC
     * Create propergation with the security VPC
     * Create propergation for the spoke VPC
-  * Edit 'spokes' transite gateway route table
+  * Edit 'spokes' transit gateway route table
     * Create propergation with the security VPC
     * Create association for the spoke VPCs
+    * Create static default route pointing at security VPC
 Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment
@@ Line 137: / Line 155: @@
   * security-firewall-public no special rules. default will do. Block inbound. allow outbound
   * security-firewall-managment allow icmp, ssh and https from your public IP
-  * security-firewall-private allow all traffic from RFC1918
+  * security-firewall-private allow all traffic for health checks and also for UDP-6081 (GWLB GENEVE tunnel)
@@ Line 263: / Line 281: @@
 Create site-to-site VPN Connection
   * myremotesite-vpn
-  * Target gateway type - transite gateway (select our main transite gateway)
+  * Target gateway type - transit gateway (select our main transit gateway)
   * Customer gateway - remote-site-home
   * routing options - static
@@ Line 288: / Line 306: @@
 after adding panorama, had to add panorama vpc to TGW as a spoke. Also had to create association to panorama vpc in spoke attacment and a propogation to panorama on security attagement.
-Remember - palo MTU to 1427 and get teh /30 IP from the downloadable config
+Remember - On the Palo firewalls, set the MTU of the VPN tunnel interface to 1427 and set the /30 IP address using the AWS downloadable config as a reference for which IP to use (it will probably be the higher IP in the /30).
-Create a static route inthe secuity route table on the transite gatewy that points 192.168.0.0/16 to the site1 attachment.
+Create a static route in the secuity route table on the TGW in AWS that points 192.168.0.0/16 to the site1 VPN attachment.
@@ Line 304: / Line 322: @@
-=====Transite Gatewy Route Tables=====
+=====transit Gatewy Route Tables=====
 Secuity
@@ Line 316: / Line 334: @@
 		vpn-site1
 	Routes:
-		summary of web vpc should be visible thanks to propgations
+		summary of web vpc should be visible thanks to propagations
-		summary of db vpc should be visible thanks to propgations
+		summary of db vpc should be visible thanks to propagations
-		summary of management vpc should be visible thanks to propgations
+		summary of management vpc should be visible thanks to propagations
-		summary of security vpc should be visible thanks to propgations
+		summary of security vpc should be visible thanks to propagations
 		static route to Site 1 pointing at the site1 VPN object should be created
@@ Line 329: / Line 347: @@
 		vpn-site1
 	Propergations:
-		vpc-secuirty
+		vpc-security
 	Routes:
-		summary of security vpc should be visible thanks to propgations
+		summary of security vpc should be visible thanks to propagations
 		static route 0.0.0.0/0 pointing at the security VPC should be created
+When creating VPN with BGP to third party
+  * For each VPN that you do dynamic routing in, create a dedicated route table and attach the VPN to it.
+  * Then propergate only those VPCs whose routes you want to share with your new VPN.
+  * Associate with the VPN peer.
+Association = Who gets these routes
+Propergations = What routes get installed
+When we connect GlobalProtect firewalls via VPN to VPN gateway attached to TGW, we create a dedicated TGW Route Table and set
+  * Association - associate with GP VPN attachments
+  * Propergations - None
+  * static route - static route to internal routes and point at the security VPC