Palo Alto Networks VM-Series and AWS Gateway Load Balancer Integration Overview
Vložit
- čas přidán 3. 12. 2020
- This video provides an overview of our latest integration of VM-Series Firewalls with AWS Gateway Load Balancer architecture.
You can watch the demo of deploying this solution using Cloud Formation Template here: • VM-Series and AWS Gate...
More information about VM-Series and AWS Gateway Load Balancer Integration can be found here: live.paloaltonetworks.com/t5/...
Visit the AWS page on LIVEcommunity: live.paloaltonetworks.com/t5/... - Věda a technologie
Great explaination!
Thanks lot
Please make me understand why we using snat &dnat for ingres vpc and egress and west to east why vpn... please explain and make me understand
Can IGW receive incoming traffic from Internet destined for OnPrem? We were asked of this requirement, is this possible?
Thank you for explaining the new capability with AWS GLB. Is there a decentralized model/solution for a separate Inbound and Outbound VPC with a pair of VM-series FW's? Also, any configuration guide that will be made available soon?
Why would you not explain why vpn is needed for ew/egress?
Thanks Raj, it would be great if you could attach the Route Table to each of the node for better understanding of the routing. One quick question, what is the security implication if the firewall inspect inbound and outbound traffic with a single zone?
The only real security implication that comes to mind is the fact that everything will now be intrazone. This means that we will need to change the behavior of the default intrazone rule to "deny" (or "drop"), which further necessitates explicitly allowing all of the traffic that we need to function. Also, since all security-policies are now using the same zone, the order of the security-policies becomes more critical, as a "deny" or "drop" can possibly cause issues for all of the rules underneath it. Aside from that, we are still able to allow/deny traffic based on the contents of the L3/L4 headers, implement decryption, inspect the content at L7, etc. just the same as we normally would.
We also have the ability to set the GWLB VPC-endpoints to correspond to a specific "sub-interface" on the PA-NGFW, and assign specific Zones to those GWLB VPC-endpoint/sub-interface pairings, but this does not actually facilitate interzone traffic, as traffic to and from the PA-NGFW would always technically arrive and leave on a single VPC-endpoint/sub-interface.