GlobalProtect supports various authorization methods, including SAML 2.0 IdP. This example shows how to set up authorization using AWS SSO. AWS Before adding SAML IdP, you must already have AWS Directory Service configured To begin with, let’s add an application, for this go to "IAM Identity Center" -> "Application assignments" -> "Application" And click "Add …
Continue reading "Palo Alto VM-Series Firewall: GlobalProtect – AWS SAML"
PAN-OS only allows you to generate self-signed certificates or already import existing ones. To use a Let’s Encrypt certificate, you need to request it on another device, and therefore we can only use DNS as validation. AWS Route53 is used as a DNS provider, we will use Certbot to obtain a certificate, we also need …
Continue reading "Palo Alto VM-Series Firewall: Let’s Encrypt certificate"
VM-Series Firewall SSH To use WebUI, we need to set an administrator password, for this, need to connect via SSH. After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH Connect to the first instance, SSH user – "admin" And execute the following commands: Enter the …
Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 2"
The Palo Alto VM-Series Firewall uses an active/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options for achieving HA on AWS: "Secondary IP Move" and "Dataplane Interface Move". Secondary IP Move If the active …
Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1"
In order to mount an S3 Bucket as a file system, you need to install s3fs Create a directory to mount: And add the following to "/etc/fstab": Where: "artem-service-bucket:/upload/" – S3 bucket name and the directory inside the bucket to mount "url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1" – the region where the S3 bucket is located "iam_role" – …
Continue reading " S3 – Mounting in Linux"
It is necessary to extract the login and password from RDS, which are stored in AWS Secret Manager and use their values in the Terraform code. To do this, you can use the following construction: And use variables:
The SSM Parameter Store contains the following JSON: It is necessary to extract the login and password, and use their values in the Terraform code. To do this, you can use the following construction: And use variables:
To select a Python version in the pipeline, you need to have the required versions installed on the system. Further actions were performed on CentOS 7 and the installation of binaries took place in the "/usr/bin/" directory for convenience, since the system already has versions "2.7" and "3.6" installed from the repository along this …
Continue reading " Jenkins – Python VirtualEnv with version selection"
Goal: Allow public read access for all objects in the S3 bucket only using a VPN connection, objects must be non-public to connect from the world. OpenVPN is used as a VPN service, which can be deployed anywhere, so we will build an allow a rule to check the IP address. First you need …
Continue reading " AWS – S3: Allow public access to objects over VPN"
This script looks for an EBS in the region "eu-west-1" with a tag whose key is "Application" and the value is passed as an argument, creating a snapshot of this EBS. In the same way, it searches for a snapshot by tag and deletes everything except the last one. An example of running to create …
Continue reading " Python – AWS EBS creating snapshots based on a tag and keeping only one latest version"