Saucepan

User Tools

Site Tools

Trace: aws_gwlb
paloaltonetworks:vmseries:aws_gwlb

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:vmseries:aws_gwlb [2022/07/20 08:54] – created bstaffordpaloaltonetworks:vmseries:aws_gwlb [2023/01/16 13:45] (current) – [Routing] bstafford
Line 1: Line 1:
 ====== AWS Gateway Load Balancer ====== ====== AWS Gateway Load Balancer ======
  
-Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login.+Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login. (NOTE: I didn't see this issue on PAN-OS 10.2.3)
  
   * Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4   * Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4
   * ami-0e7d693c0e72ad111   * ami-0e7d693c0e72ad111
-  + 
 + 
 +===== AMI ==== 
 +AWS CLI command to get AMI for PAN-OS 10.1.7 in region eu-west-1.  
 +<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json</code> 
 +Or, even better 
 +<code>aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json | grep ImageId | awk -F "\"" '{print $4}'</code> 
 +because --query Images.ImageId didn't work. 
 + 
 +Values specifies BND1, BND2 or BYOL 
 +  * BND1 = e9yfvyj3uag5uo5j2hjikv74n 
 +  * BND2 = hd44w1chf26uv4p52cdynb2o 
 +  * BYOL = 6njl1pau431dv1qxipg63mvah 
 + 
 +===== VM AUTH PIN ===== 
 +<code>vm-series-auto-registration-pin-id= 
 +vm-series-auto-registration-pin-value=</code> 
 +c5.12xlarge is more expensive but has 48vCPU and 96GB RAM.
 <code>request system system-mode panorama</code> <code>request system system-mode panorama</code>
 <code>show system info | match system-mode</code> <code>show system info | match system-mode</code>
Line 65: Line 82:
     * Create propergation with the security VPC     * Create propergation with the security VPC
     * Create association for the spoke VPCs     * Create association for the spoke VPCs
 +    * Create static default route pointing at security VPC
  
 Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment
Line 137: Line 155:
   * security-firewall-public no special rules. default will do. Block inbound. allow outbound   * security-firewall-public no special rules. default will do. Block inbound. allow outbound
   * security-firewall-managment allow icmp, ssh and https from your public IP   * security-firewall-managment allow icmp, ssh and https from your public IP
-  * security-firewall-private allow all traffic from RFC1918+  * security-firewall-private allow all traffic for health checks and also for UDP-6081 (GWLB GENEVE tunnel)
  
  
Line 329: Line 347:
  vpn-site1  vpn-site1
  Propergations:  Propergations:
- vpc-secuirty+ vpc-security
  Routes:  Routes:
  summary of security vpc should be visible thanks to propagations  summary of security vpc should be visible thanks to propagations
paloaltonetworks/vmseries/aws_gwlb.1658307284.txt.gz · Last modified: (external edit)