Skip to content
This repository has been archived by the owner on Jul 7, 2021. It is now read-only.

Use BYOL #69

Open
mr-linxus opened this issue Feb 28, 2020 · 2 comments
Open

Use BYOL #69

mr-linxus opened this issue Feb 28, 2020 · 2 comments
Labels
enhancement

Comments

@mr-linxus
Copy link

Dear,

Would it be possible to adapt the code to use BYOL instead of bundel-2?
I have tried it myself, but somehow it doesn't work

steps taken:

  1. in paGroupCft.json: changed the ami to point to the byol-ami (found here: https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/aws-cft-amazon-machine-images-ami-list/images-for-pan-os-8-0.html)
  2. in paGroupCft.json: changed "AssociatePublicIpAddress": "true" so the mgmt has a public IP (needed to reach the PA support portal for auth code check)
  3. in initializeTransitAccount.json: changed "RouteTableId" for "mgmtAz1RtAssociation" and "mgmtAz1RtAssociation" to "PubRouteTable" which includes a default route to IGW (needed to reach the PA support portal for auth code check)
  4. in bootstrap\license folder: added a authcodes files (with autcode in it)
  5. in in bootstrap\config\bootstrap.xml and init-cfg.txt: included dns-servers (needed for resolving updates.paloaltonetworks.com)

=> this does:

  • create the PAs as BYOL
  • registers the auth code
  • the PAs have a serial number and are working correctly.

=> this breaks:
somehow this breaks the automation and the PA's do not get configured anymore. example:

  • eth1 default IP (172.15.15.15) does not get adapted to reflect correct IP received via DHCP from AWS
  • No VPN tunnels get created when VPCs are added, ...
  • I also don't see any authentication requests in my system logs on the PA (which I should see because of the API-key get request)

Note:
The BYOL activation does reboot the PA, maybe that is causing some issue? Maybe the scripts to configure the PA run while the system is rebooting?

Maybe you can help me pinpoint were I made some mistake?

Kind regards
@mr-linxus
Copy link
Author

mr-linxus commented Feb 28, 2020
edited
Loading

Maybe some more information:
It seems that the table "PaGroupInfo-xxx" in DynamoDB does not get updated (when using the BYOL). The value for InUse is set to YES for the specific PaGroupName that is effectively deployed, however: all the other columns (N1Asn, N2Asn, N1Mgmt, N2Mgmt, N1Eip, N2Eip, ..) are missing.

@mr-linxus
Copy link
Author

Just tried to "cheat" a bit and manually added the columns (N1Eip, N1Mgmt, N1Pip, N2Eip, N2Mgmt, N2Pip, StackRegionString) to the DynamoDB. And when I add the TAG to a new VPC:

  • the VpcCountNumber DOES go UP by one (in the DynamoDB table)
  • the cloud native Customer Gateway, the Virtual Private Gateways and the Site-to-Site VPN Connections are created
  • however, no API calls get made to the PA, and nothing gets configured. So that part still does not work

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mr-linxus