Learn how to build a centralised security architecture with application VPC and security VPC with GWLB. This video also covers the routing configuration and traffic flows in this architecture
Our PAN SE keeps recommending to me to follow the recommended deployment guide but I'm having a hard time accepting this recommendation especially after watching this video. As a result, I just have more issues/questions/concerns. For example, outbound traffic is showing in traffic log on the same "from" and "to" zone. That defeats the whole purpose of using zones! Also, why are there IGW's in the App VPC's? Shouldn't there only be one IGW in the VPC that the PAN's resides in?
There's some good information here, but the narrator is going waaaay too fast, skips over some critical information, and makes a few showstopper mistakes if one copies what is going onscreen. There are some critical concepts that are glossed over in the narrator's race to the finish, leaving people trying to learn scratching their heads. There are some issues with the firewall configuration, as well as issues with some of the core setup such as subnets created. She also zooms past setting up the routes correctly in the security VPC for the GWLB endpoints. This could have been a very good video but it seems like this was done hastily. Please slow down and take more time going over each step.
Target group for the firewall comes up as unhealthy as you're not putting eth1/1 layer3 interface in a security zone. Also the CIDR for the security subnet needs to be added as an authorized IP for the interface management profile
If the ethernet 1/1 interface does not have any zone settings, it is confirmed that the healthcheck packet is dropped even though there is an allow-all policy. So, I created an additional zone and applied the ethernet1/1 interface, and then the unhealthy > healthy state.
@@user-wm8lx8hj2k Thanks I hope I saw this earlier. I called Palo Alto support and spent 2 hours to find the same thing you mentioned. She missed that from the beginning. At 33:41, the ethernet1/1 is in zone gwlb-zone.
Thanks for this video. Is it possible to synchronise configurations in such architecture with two VM-Series? If yes can you share a link which shows that?