Saucepan

User Tools

Site Tools

Trace:
paloaltonetworks:vmseries:aws_gwlb

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:vmseries:aws_gwlb [2022/07/14 13:13] – [Connect third party site to TGW] bstaffordpaloaltonetworks:vmseries:aws_gwlb [2023/01/16 13:45] (current) – [Routing] bstafford
Line 1: Line 1:
 ====== AWS Gateway Load Balancer ====== ====== AWS Gateway Load Balancer ======
  
-Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login.+Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login. (NOTE: I didn't see this issue on PAN-OS 10.2.3)
  
   * Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4   * Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4
   * ami-0e7d693c0e72ad111   * ami-0e7d693c0e72ad111
-  + 
 + 
 +===== AMI ==== 
 +AWS CLI command to get AMI for PAN-OS 10.1.7 in region eu-west-1.  
 +<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json</code> 
 +Or, even better 
 +<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json | grep ImageId | awk -F "\"" '{print $4}'</code> 
 +because --query Images.ImageId didn't work. 
 + 
 +Values specifies BND1, BND2 or BYOL 
 +  * BND1 = e9yfvyj3uag5uo5j2hjikv74n 
 +  * BND2 = hd44w1chf26uv4p52cdynb2o 
 +  * BYOL = 6njl1pau431dv1qxipg63mvah 
 + 
 +===== VM AUTH PIN ===== 
 +<code>vm-series-auto-registration-pin-id= 
 +vm-series-auto-registration-pin-value=</code> 
 +c5.12xlarge is more expensive but has 48vCPU and 96GB RAM.
 <code>request system system-mode panorama</code> <code>request system system-mode panorama</code>
 <code>show system info | match system-mode</code> <code>show system info | match system-mode</code>
Line 58: Line 75:
  
 Associate Attachments to Route Tables Associate Attachments to Route Tables
-  * Edit 'security' transite gateway route table+  * Edit 'security' transit gateway route table
     * Create association with the security VPC     * Create association with the security VPC
     * Create propergation with the security VPC     * Create propergation with the security VPC
     * Create propergation for the spoke VPC     * Create propergation for the spoke VPC
-  * Edit 'spokes' transite gateway route table+  * Edit 'spokes' transit gateway route table
     * Create propergation with the security VPC     * Create propergation with the security VPC
     * Create association for the spoke VPCs     * Create association for the spoke VPCs
 +    * Create static default route pointing at security VPC
  
 Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment
Line 137: Line 155:
   * security-firewall-public no special rules. default will do. Block inbound. allow outbound   * security-firewall-public no special rules. default will do. Block inbound. allow outbound
   * security-firewall-managment allow icmp, ssh and https from your public IP   * security-firewall-managment allow icmp, ssh and https from your public IP
-  * security-firewall-private allow all traffic from RFC1918+  * security-firewall-private allow all traffic for health checks and also for UDP-6081 (GWLB GENEVE tunnel)
  
  
Line 263: Line 281:
 Create site-to-site VPN Connection Create site-to-site VPN Connection
   * myremotesite-vpn   * myremotesite-vpn
-  * Target gateway type - transite gateway (select our main transite gateway)+  * Target gateway type - transit gateway (select our main transit gateway)
   * Customer gateway - remote-site-home   * Customer gateway - remote-site-home
   * routing options - static   * routing options - static
Line 304: Line 322:
  
  
-=====Transite Gatewy Route Tables=====+=====transit Gatewy Route Tables=====
  
 Secuity Secuity
Line 329: Line 347:
  vpn-site1  vpn-site1
  Propergations:  Propergations:
- vpc-secuirty+ vpc-security
  Routes:  Routes:
  summary of security vpc should be visible thanks to propagations  summary of security vpc should be visible thanks to propagations
  static route 0.0.0.0/0 pointing at the security VPC should be created  static route 0.0.0.0/0 pointing at the security VPC should be created
   
- + 
 +When creating VPN with BGP to third party 
 +  * For each VPN that you do dynamic routing in, create a dedicated route table and attach the VPN to it. 
 +  * Then propergate only those VPCs whose routes you want to share with your new VPN. 
 +  * Associate with the VPN peer. 
 + 
 +Association = Who gets these routes 
 + 
 +Propergations = What routes get installed 
 + 
 + 
 +When we connect GlobalProtect firewalls via VPN to VPN gateway attached to TGW, we create a dedicated TGW Route Table and set 
 +  * Association - associate with GP VPN attachments 
 +  * Propergations - None 
 +  * static route - static route to internal routes and point at the security VPC
  
  
paloaltonetworks/vmseries/aws_gwlb.1657804401.txt.gz · Last modified: (external edit)