Palo Alto VM-Series Firewall: AWS HA Multi AZ для GlobalProtect – Part 2

 

VM-Series Firewall

SSH

To use WebUI, we need to set an administrator password, for this, need to connect via SSH.

After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH

Connect to the first instance, SSH user – "admin"

And execute the following commands:

configure
set mgt-config users admin password

Enter the password 2 times and save the changes:

commit

Repeat the same on the second instance.

Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ для GlobalProtect – Part 2"

Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1

 

The Palo Alto VM-Series Firewall uses an active/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options for achieving HA on AWS: "Secondary IP Move" and "Dataplane Interface Move".

Secondary IP Move

If the active firewall is unavailable, the passive one becomes active. It also makes API requests to transfer secondary IP addresses from an inaccessible host to itself and updates the routing tables so that traffic is sent to the new active firewall. Switching firewall roles in this method is faster than in "Dataplane Interface Move".

Dataplane Interface Move

As in the case of "Secondary IP Move", if the passive firewall detects that the active one is no longer available, then it becomes active, but instead of transferring IP addresses, it transfers ENI from the inaccessible firewall to itself.

Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1"

 FIX ERROR — Python2: PIP fails after upgrade

After upgrading PIP to CentOS 6, which still uses Python2.7, PIP for each command crashes with an error.

For example:

pip install --upgrade pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/88/d9/761f0b1e0551a3559afe4d34bd9bf68fc8de3292363b3775dda39b62ce84/pip-22.0.3.tar.gz (2.1MB)
    100% |████████████████████████████████| 2.1MB 544kB/s
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-snCNSf/pip/setup.py", line 7
        def read(rel_path: str) -> str:
                         ^
    SyntaxError: invalid syntax

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-snCNSf/pip/
You are using pip version 8.1.2, however version 22.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

 

Reason:

PIP versions above 20.3 do not support Python2.7

Solution:

Install latest supported version

pip install --upgrade pip==20.3

 

 Linux – Get path and filename from full path

 

To extract a file path or filename from a full path, you can use various utilities like grep, sed, awk, etc. If it’s not a list from a file or variable, you can use find, but there’s an easier way:

  • basename – returns the filename
  • dirname – returns the path to the file

Example:

basename /home/artem/file.txt
file.txt

dirname /home/artem/file.txt
/home/artem

 

These two utilities are included in the coreutils package

 S3 – Mounting in Linux

In order to mount an S3 Bucket as a file system, you need to install s3fs

Create a directory to mount:

mkdir -p /mnt/s3

 

And add the following to "/etc/fstab":

artem-service-bucket:/upload/ /mnt/s3 fuse.s3fs _netdev,rw,nosuid,nodev,allow_other,nonempty,iam_role,umask=022,url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1 0 0

 

Where:

  • "artem-service-bucket:/upload/" – S3 bucket name and the directory inside the bucket to mount
  • "url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1" – the region where the S3 bucket is located
  • "iam_role" – indicate that we will use the IAM Role for authentication

 

Mount:

mount -a

 

 

 Terraform – AWS Secrets Manager: Retrieve RDS login/password

It is necessary to extract the login and password from RDS, which are stored in AWS Secret Manager and use their values in the Terraform code. To do this, you can use the following construction:

# Should be there before the apply
data "aws_secretsmanager_secret" "rds-admin-user" {
  name  = "/ARTEM-SERVICES/PROD/RDS/CREDENTIALS"
}

data "aws_secretsmanager_secret_version" "rds-admin-user" {
  secret_id = data.aws_secretsmanager_secret.rds-admin-user.id
}

locals {
  additional_rds_username      = jsondecode(data.aws_secretsmanager_secret_version.rds-admin-user.secret_string)["username"]
  additional_rds_user_password = jsondecode(data.aws_secretsmanager_secret_version.rds-admin-user.secret_string)["password"]
}

 

And use variables:

local.additional_rds_username
local.additional_rds_user_password

 

 

 Terraform – AWS SSM: Extract content

The SSM Parameter Store contains the following JSON:

{
  "username": "admin",
  "password": "password"
}

 

It is necessary to extract the login and password, and use their values in the Terraform code. To do this, you can use the following construction:

# Should be there before the apply
data "aws_ssm_parameter" "rds-admin-user" {
  name  = "/ARTEM-SERVICES/PROD/RDS/CREDENTIALS"
}

locals {
  additional_rds_username      = jsondecode(data.aws_ssm_parameter.rds-admin-user.value)["username"]
  additional_rds_user_password = jsondecode(data.aws_ssm_parameter.rds-admin-user.value)["password"]
}

 

And use variables:

local.additional_rds_username
local.additional_rds_user_password

 

 

 OpenVPN – Exclude specific IPs or networks from routes

In order to exclude a specific range or IP address, you need to add the parameter "net_gateway".

For example, it is necessary that the network "10.0.0.0/8" is routed through the VPN, but at the same time the network "10.0.1.0/24" is excluded from the route, the entry in the configuration file will look like this:

push "route 10.0.0.0 255.0.0.0"
push "route 10.0.1.0 255.255.255.0 net_gateway"