AWS-GWLB-VMSeries icon indicating copy to clipboard operation
AWS-GWLB-VMSeries copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Need to documentation that Paloalto AMI are not supported IMDSv2

Open maljb opened this issue 3 years ago • 4 comments

Documentation link

https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/terraform/README.md

Describe the problem

I think add to Prerequisites that paloalto ami are needs IMDSv1. instance are can't read user-data of the aws instance parameters when first boot if restricted only allowed IMDSv2 (for example, SCP of the AWS organization)

Suggested fix

  1. Make a sure IMDS settings
  • Paloalto AMI are need IMDSv1 for get user-data
  • aws_instance.http_tokens=optional

maljb avatar Jan 07 '22 05:01 maljb

:tada: Thanks for opening your first issue here! Welcome to the community!

welcome-to-palo-alto-networks[bot] avatar Jan 07 '22 05:01 welcome-to-palo-alto-networks[bot]

Does Palo Alto now support IMDSv2 via https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300.html ?

I do not use any PAN products, but I've been tracking this via the IMDSv2 Wall of Shame: https://github.com/SummitRoute/imdsv2_wall_of_shame

0xdabbad00 avatar Mar 04 '22 16:03 0xdabbad00

@0xdabbad00 Finally, Yes! :)

But there are some limitation. it's only supported above PAN-OS 10.2.0 version(need to upgrade from other version) and does not yet present on AWS marketplace.

maljb avatar Mar 10 '22 03:03 maljb

I've tried to remediate using automation script through AWS CLI and it solved the IMDSv1 problem for VM-Series. Currently I'm using the latest version of PanOS

mathiznogoud avatar Mar 16 '22 14:03 mathiznogoud