Error in ASG - Githubissues

PaloAltoNetworks / aws-elb-autoscaling

Auto Scaling VM-Series firewalls in AWS

http://live.paloaltonetworks.com/cloudtemplate

58 stars 64 forks source link

Error in ASG #5

Closed vijayrcse closed 6 years ago

vijayrcse commented 7 years ago

Hi I am getting the below error in ASG lambda. Could you please advise what could be wrong here ?

START RequestId: XXXX-9498-11e7-9cd8-d124572c0273 Version: $LATEST [ERROR] 2017-09-08T13:22:29.317Z XXXX-9498-11e7-9cd8-d124572c0273 [RunCommand Response Fail]: [ERROR] 2017-09-08T13:22:34.323Z XXXX-9498-11e7-9cd8-d124572c0273 [RunCommand Response Fail]: END RequestId: XXXX-9498-11e7-9cd8-d124572c0273

narayan-iyengar commented 7 years ago

Is there any other error after ResponseFail?

Also does this happen consistently? Sometimes I have seen Lambda act up, but redeploying the template tends to solve the issue.

If you have more details let me know and I can look into it further.

vijayrcse commented 7 years ago

Yes this is the error message "urlopen error timed out"

vijayrcse commented 7 years ago

It is thrown while it is trying to connnect to "https://mgmtIP/api/..."

narayan-iyengar commented 7 years ago

ok...better. Can you access the mgmtIP address? Have you modified anything int he template or the lambda functions?

Stack deployment completed successfully?

vijayrcse commented 7 years ago

stack deployment is success. nothing modified in template will check the mgmt ip.

vijayrcse commented 7 years ago

what is the api -key by default for KeyPANWFirewall ?

originalwarby commented 7 years ago

There is no default API key for AWS firewalls because there is no default admin password on AWS instances (required for an API key.) If you are bootstrapping your VM-Series in AWS to have a fixed admin password, you could generate the key on a lab VM-Series with the same credentials and as long as you don't change the firewall master key, you will be all set for bootstrapped firewalls.

Better yet, create a separate user for your api calls with permissions to only access the required functions and use that to generate your api key. More details in the admin guide: https://www.paloaltonetworks.com/documentation/80/pan-os/xml-api/get-started-with-the-pan-os-xml-api

ghost commented 7 years ago

As @originalwarby suggested, create a separate user for your api calls with permissions to only access the required functions and use the following XML API to generate the key.

https://\<Firewall IP>/api/?type=keygen&user=\<username>&password=\<password>

The default username and password for the auto scaled firewall is pandemo/demopassword.

originalwarby commented 7 years ago

Quick clarification, the pandemo/demopassword credentials only work with the sample bootstrap file we posted that should only be used for eval/testing. That bootstrap file (and those credentials) should never be used in production.

vijayrcse commented 7 years ago

using pandemo/demopassword credentials for now for eval/testing. thanks

narayan-iyengar commented 6 years ago

Closing issue