Enable VM-Series Integration with a Gateway Load Balancer

When integrating the VM-Series firewall with a GWLB, you must first enable the VM-Series firewall to properly process traffic redirected to the firewall by the GWLB endpoints. You can enable this functionality using the VM-Series firewall CLI, through the VM-Series bootstrapping package, or the user-data field in the AWS console.
VM-Series firewall deployment with a GWLB requires:
  • PAN-OS 10.0.2 or later
  • VM-Series plugin 2.0.2 or later
  • Panorama 10.0.2 or later if you using Panorama to manage your firewalls
The table below lists the commands required to enable GWLB traffic inspection and associate a subinterface with a VPC endpoint. Operation commands can be used in the a bootstrapping init-cfg.txt file or in the user-data field in the AWS console.
Bootstrap Parameter
CLI Command
Description
mgmt-interface-swap=enable
set system setting mgmt-interface-swap enable yes
This command requires the firewall to reboot before taking effect.
Swaps eth0 and eth1. Eth0 becomes a data interface and eth1 becomes the management interface.
plugin-op-commands=aws-gwlb-inspect:enable
request plugins vm_series aws gwlb inspect enable <yes/no>
Enables the VM-Series firewall to process traffic passing through a GWLB.

Recommended For You