I\u2019ve used following Terraform code to create an Aviatrix FireNet egress only transit<\/p>\n\n\n\n
module \"transit_firenet_egress\" {\n source = \"terraform-aviatrix-modules\/aws-transit-firenet\/aviatrix\"\n version = \"5.0.0\"\n name = \"egress\"\n cidr = \"10.1.0.0\/20\"\n region = var.region\n account = var.account\n firewall_image = \"Palo Alto Networks VM-Series Next-Generation Firewall (BYOL)\"\n inspection_enabled = false\n egress_enabled = true\n enable_egress_transit_firenet = true\n single_az_ha = false\n use_gwlb = true\n firewall_image_version = \"10.1.3\"\n}<\/code><\/pre>\n\n\n\nThen followed steps in this article:<\/p>\n\n\n\n\nhttps:\/\/docs.aviatrix.com\/HowTos\/transit_firenet_workflow_aws_gwlb.html?highlight=gwlb#palo-alto-network-pan\n<\/div><\/figure>\n\n\n\n- Step 3 can be skipped, as no need to active license<\/li>
- Step 4 can be skipped, as Firewall is configured as one-armed mode, there\u2019s no WAN port<\/li>
- Step 6 can be skipped, as again Firewall is one-armed mode, there\u2019s no need for route table changes<\/li><\/ul>\n\n\n\n
After the configuration and confirmed Firewall worked as expected. I\u2019ve saved the configuration as bootstrap.xml<\/strong><\/p>\n\n\n\nThen I\u2019ve followed this article:<\/p>\n\n\n\n\nhttps:\/\/docs.aviatrix.com\/HowTos\/bootstrap_example.html\n<\/div><\/figure>\n\n\n\n- Created S3 bucket<\/li>
- Created IAM Role bootstrap-VM-S3-role<\/strong> and Policy bootstrap-VM-S3-policy<\/strong><\/li><\/ul>\n\n\n\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::*\"\n ]\n }\n ]\n}<\/code><\/pre>\n\n\n\n- Create following folder structure in S3 bucket<\/li><\/ul>\n\n\n\n
bootstrap-bucket\/\n config\/\n init-cfg.txt\n bootstrap.xml\n content\/\n license\/\n software\/<\/code><\/pre>\n\n\n\n- Uploaded bootstrap.xml and init-cfg.txt<\/a><\/li>
- Modified Terraform code, so it looks like<\/li><\/ul>\n\n\n\n
module \"transit_firenet_egress\" {\n source = \"terraform-aviatrix-modules\/aws-transit-firenet\/aviatrix\"\n version = \"5.0.0\"\n name = \"egress\"\n cidr = \"10.1.0.0\/20\"\n region = var.region\n account = var.account\n firewall_image = \"Palo Alto Networks VM-Series Next-Generation Firewall (BYOL)\"\n inspection_enabled = false\n egress_enabled = true\n enable_egress_transit_firenet = true\n single_az_ha = false\n use_gwlb = true\n firewall_image_version = \"10.1.3\"\n bootstrap_bucket_name_1 = \"<s3-buck-name>\"\n iam_role_1 = \"bootstrap-VM-S3-role<\/strong>\"\n}<\/code><\/pre>\n\n\n\nPalo CLI command to check if bootstrap worked:<\/p>\n\n\n\n
show system bootstrap status<\/code><\/pre>\n\n\n\nIn my case, the bootstrap appeared to be working<\/p>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/03\/image-1024x182.png\")
<\/figure>\n\n\n\nAdditional command to troubleshoot bootstrap, or you can watch console session messages<\/p>\n\n\n\n
debug logview component bts_details<\/code><\/pre>\n\n\n\nHowever when tried to pass traffic through firewall, even when policy is wide open, package capture still shows traffic get dropped when sending from GWLB endpoints<\/p>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/03\/image-1-1024x56.png\")
<\/figure>\n\n\n\nAfter comparing with a working manually configured firewall with an bootstrapped firewall, here\u2019s the observations:<\/p>\n\n\n\n
- When bootstrap.xml<\/strong> loaded via bootstrap, and export the configuration right away, only public-key<\/strong> got modified, which makes sense as new firewall gets new ssh keys<\/li>
- I\u2019ve also learned that when there\u2019s a conflict setting between init-cfg.txt<\/strong> and bootstrap.xml<\/strong>, the setting in init-cfg.txt<\/strong> wins<\/a>. Since we are not using Panorama at this point, all values of the init-cfg.txt<\/strong> should be just empty like this:<\/li><\/ul>\n\n\n\n
type=\nip-address=\ndefault-gateway=\nnetmask=\nipv6-address=\nipv6-default-gateway=\nhostname=\nvm-auth-key=\npanorama-server=\npanorama-server-2=\ntplname=\ndgname=\ndns-primary=\ndns-secondary=\nop-command-modes=\ndhcp-send-hostname=\ndhcp-send-client-id=\ndhcp-accept-server-hostname=\ndhcp-accept-server-domain=<\/code><\/pre>\n\n\n\n- We also found out when using bootstrap with terraform, the GWLB isn\u2019t enabled, CLI command to check:<\/li><\/ul>\n\n\n\n
show plugins vm_series aws gwlb<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/03\/image-2.png\")
<\/figure>\n\n\n\n- The management interface however has been swapped as expected<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/03\/image-3-1024x124.png\")
<\/figure>\n\n\n\n- Since we do need to use GWLB to pass traffic to the firewall, tried following command:<\/li><\/ul>\n\n\n\n
request plugins vm_series aws gwlb inspect enable yes<\/code><\/pre>\n\n\n\nNow the GWLB is enabled, and traffic is passing!<\/p>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/03\/image-4.png\")
<\/figure>\n\n\n\nWe modified init-cfg.txt<\/strong> to also enable GWLB during bootstrapping<\/p>\n\n\n\ntype=\nip-address=\ndefault-gateway=\nnetmask=\nipv6-address=\nipv6-default-gateway=\nhostname=\nvm-auth-key=\npanorama-server=\npanorama-server-2=\ntplname=\ndgname=\ndns-primary=\ndns-secondary=\nop-command-modes=\ndhcp-send-hostname=\ndhcp-send-client-id=\ndhcp-accept-server-hostname=\ndhcp-accept-server-domain=\nplugin-op-commands=aws-gwlb-inspect:enable<\/strong><\/code><\/pre>\n\n\n\nNow everything is working as expected, reference:<\/p>\n\n\n\n