search

PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
14 stars 11 forks source link

[Bug Report] redundant ingress rules in vmseries_mgmt security group #46

Closed stormfruit closed 5 months ago

stormfruit commented 5 months ago

Describe the bug

Hi

In examples/centralized_design/example.tfvars:/vpcs/security_vpc/security_groups/vmseries_mgmt/rules, I don't believe the rules labelled "panorama_mgt" and "panorama_log" are necessary, as these connections are initiated by the managed devices rather than Panorama, and are covered by the "all_outbound" rule. See https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-panorama for details.

Please forgive me if I have the module & tfvars path wrong or stuffed up this bug report, I'm new here ;)

Thanks

Matt

Module Version

latest

Terraform version

No response

Expected behavior

Redundant rules are not created

Current behavior

Rules are created but are unnecessary / unused

Anything else to add?

      panorama_mgmt = {
        description = "Permit Panorama Management"
        type        = "ingress", from_port = "3978", to_port = "3978", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
      }
      panorama_log = {
        description = "Permit Panorama Logging"
        type        = "ingress", from_port = "28443", to_port = "28443", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
      }
stormfruit commented 5 months ago

Appears this is the case in all examples where Panorama management is referenced.