mr-linxus
commented
4 years ago Maybe some more information: It seems that the table "PaGroupInfo-xxx" in DynamoDB does not get updated (when using the BYOL). The value for InUse is set to YES for the specific PaGroupName that is effectively deployed, however: all the other columns (N1Asn, N2Asn, N1Mgmt, N2Mgmt, N1Eip, N2Eip, ..) are missing.
Dear,
Would it be possible to adapt the code to use BYOL instead of bundel-2? I have tried it myself, but somehow it doesn't work
steps taken: 1) in paGroupCft.json: changed the ami to point to the byol-ami (found here: https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/aws-cft-amazon-machine-images-ami-list/images-for-pan-os-8-0.html) 2) in paGroupCft.json: changed "AssociatePublicIpAddress": "true" so the mgmt has a public IP (needed to reach the PA support portal for auth code check) 3) in initializeTransitAccount.json: changed "RouteTableId" for "mgmtAz1RtAssociation" and "mgmtAz1RtAssociation" to "PubRouteTable" which includes a default route to IGW (needed to reach the PA support portal for auth code check) 4) in bootstrap\license folder: added a authcodes files (with autcode in it) 5) in in bootstrap\config\bootstrap.xml and init-cfg.txt: included dns-servers (needed for resolving updates.paloaltonetworks.com)
=> this does:
=> this breaks: somehow this breaks the automation and the PA's do not get configured anymore. example:
Note: The BYOL activation does reboot the PA, maybe that is causing some issue? Maybe the scripts to configure the PA run while the system is rebooting?
Maybe you can help me pinpoint were I made some mistake?
Kind regards