https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420562#M1266 <P>Hi Guys,</P><P>&nbsp;</P><P>I am working on inbound (from the internet) flow on the VM-series untrust interface directly.</P><P>&nbsp;</P><P>Set up -</P><P>VM-series FW - 3 interface -- Mgmt , Untrust , Trust</P><P>&nbsp;</P><P><SPAN>Client -&gt; Internet GW -&gt; EIP -&gt; Firewall untrust interface - eth1/1 - &gt; (SNAT - &nbsp;eth1/2 ; DNAT - Server private IP ) -&gt; Server</SPAN></P><P>&nbsp;</P><P><SPAN>In the monitor log, I can see the SNAT &amp; DNAT taking place, traffic being allowed by Security rule.</SPAN></P><P>&nbsp;</P><P><SPAN>But nothing is getting forwarded to the Server ... No packets are received on the server-side.</SPAN></P><P>&nbsp;</P><P><SPAN>I have checked routes ,&nbsp;</SPAN></P><P><SPAN>default - 0.0.0.0/0 -- exit thru untrust -&gt; IGW</SPAN></P><P><SPAN>private subnet - 10.x.x.x/24 -- thru Trust interface</SPAN></P><P>&nbsp;</P><P><SPAN>Is this not bound to work with directly attaching EIP to untrust interface ?? The same set-up works fine , with an NLB (network load balancer) in front of VM-series fw (untrust interface)</SPAN></P><P>&nbsp;</P><P><SPAN>Just to note - Already have opened TAC support case , with no luck -- too much of back and forth of info sharing , with zero constructive suggestions <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></SPAN></P><P>&nbsp;</P><P><SPAN>++&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70475" target="_blank">@jmeurer</A>&nbsp; --&nbsp;Any suggestions??</SPAN></P><P>&nbsp;</P> Tue, 20 Jul 2021 06:32:40 GMT abhishah03 2021-07-20T06:32:40Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420562#M1266 <P>Hi Guys,</P><P>&nbsp;</P><P>I am working on inbound (from the internet) flow on the VM-series untrust interface directly.</P><P>&nbsp;</P><P>Set up -</P><P>VM-series FW - 3 interface -- Mgmt , Untrust , Trust</P><P>&nbsp;</P><P><SPAN>Client -&gt; Internet GW -&gt; EIP -&gt; Firewall untrust interface - eth1/1 - &gt; (SNAT - &nbsp;eth1/2 ; DNAT - Server private IP ) -&gt; Server</SPAN></P><P>&nbsp;</P><P><SPAN>In the monitor log, I can see the SNAT &amp; DNAT taking place, traffic being allowed by Security rule.</SPAN></P><P>&nbsp;</P><P><SPAN>But nothing is getting forwarded to the Server ... No packets are received on the server-side.</SPAN></P><P>&nbsp;</P><P><SPAN>I have checked routes ,&nbsp;</SPAN></P><P><SPAN>default - 0.0.0.0/0 -- exit thru untrust -&gt; IGW</SPAN></P><P><SPAN>private subnet - 10.x.x.x/24 -- thru Trust interface</SPAN></P><P>&nbsp;</P><P><SPAN>Is this not bound to work with directly attaching EIP to untrust interface ?? The same set-up works fine , with an NLB (network load balancer) in front of VM-series fw (untrust interface)</SPAN></P><P>&nbsp;</P><P><SPAN>Just to note - Already have opened TAC support case , with no luck -- too much of back and forth of info sharing , with zero constructive suggestions <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></SPAN></P><P>&nbsp;</P><P><SPAN>++&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70475" target="_blank">@jmeurer</A>&nbsp; --&nbsp;Any suggestions??</SPAN></P><P>&nbsp;</P> Tue, 20 Jul 2021 06:32:40 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420562#M1266 abhishah03 2021-07-20T06:32:40Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420574#M1267 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179457">@abhishah03</a>,</P><P>&nbsp;</P><P>sorry to hear that had no luck with our TAC team.</P><P>&nbsp;</P><P>Your problem that you subscribes could have many reasons.</P><P>- Did you checked your Security Groups on all interfaces?</P><P>- Did you reviewed all route tables that the traffic get's forwarded correctly?</P><P>- Did you already asked AWS TAC if they can see the packets and could they explain you the reason why the packets didn't received the client host?</P><P>&nbsp;</P><P>Regards,</P><P>Torsten&nbsp;&nbsp;</P> Tue, 20 Jul 2021 06:43:12 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420574#M1267 tostern 2021-07-20T06:43:12Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420590#M1268 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70055">@tostern</a>&nbsp; -- Please find the answer inline -</P><P>&nbsp;</P><P>- Did you checked your Security Groups on all interfaces? --&nbsp;<EM>SG is set, properly -- Hence the packets are reaching the PA firewall &amp; logs reflecting the same on (AWS flow logs, PA monitor logs)</EM></P><P>- Did you reviewed all route tables that the traffic get's forwarded correctly? --&nbsp;<EM>Routes is straight forward --- 2 routes on virtual router --&nbsp;</EM></P><P><EM>default - 0.0.0.0/0 -- exit thru untrust -&gt; IGW</EM></P><P><EM>private subnet - 10.x.x.x/24 -- thru Trust interface -- 10.0.0.1</EM></P><P>&nbsp;</P><P>- Did you already asked AWS TAC if they can see the packets and could they explain to you the reason why the packets didn't receive the client host? --&nbsp;<EM>Reason needs to be explained from PA I believe, the packets are reaching the firewall, but not exiting from there :(.</EM></P> Tue, 20 Jul 2021 07:01:53 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420590#M1268 abhishah03 2021-07-20T07:01:53Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420596#M1269 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179457">@abhishah03</a>&nbsp;</P><P>&nbsp;</P><P>so you can see that the packet is leaving the PAN FW but you didn't get any return traffic?</P><P>Did you checked the AWS route tables and are you sure you haven't any SG on the Server that can block the traffic?</P><P>&nbsp;</P><P>Regards,</P><P>Torsten</P> Tue, 20 Jul 2021 07:13:51 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420596#M1269 tostern 2021-07-20T07:13:51Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420599#M1270 <P>Nope , I can see the packet only entering PA FW ...</P> Tue, 20 Jul 2021 07:15:55 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420599#M1270 abhishah03 2021-07-20T07:15:55Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420602#M1271 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179457">@abhishah03</a>&nbsp;please send me a email <A href="mailto:tostern@paloaltonetworks.com" target="_blank">tostern@paloaltonetworks.com</A>&nbsp;then i want to have a deeper look into it.&nbsp;</P><P>Afterwards we can share here the solution of the problem.</P><P>&nbsp;</P><P>Regards,</P><P>Torsten</P> Tue, 20 Jul 2021 07:17:44 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420602#M1271 tostern 2021-07-20T07:17:44Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420632#M1272 <P>I've just sent you email, with all the details. Pls check &amp; suggest.</P><P>&nbsp;</P><P>The interesting part is everything works fine with traffic ingress point changed to AWS NLB; rather than utilizing the EIP of untrust NIC.</P> Tue, 20 Jul 2021 08:32:20 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420632#M1272 abhishah03 2021-07-20T08:32:20Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420755#M1273 <P>Make sure your SNAT rule is set with the original packet set to the untrust private IP and not the EIP.&nbsp; AWS SNATs on the way in and firewall sees the packet after the EIP translation.&nbsp; Also, ensure both interfaces are added to the VR.</P> <P>&nbsp;</P> Tue, 20 Jul 2021 15:52:35 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420755#M1273 jmeurer 2021-07-20T15:52:35Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420822#M1274 <P>Yup , that's already in place.</P><P>&nbsp;</P><P>Using Private (untrust) IP in NAT; also both interfaces are added in VR.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 20 Jul 2021 18:34:21 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/420822#M1274 abhishah03 2021-07-20T18:34:21Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/426640#M1297 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179457">@abhishah03</a>&nbsp;what was the solution to your problem? Pls advise the steps so we can also benefit from it.</P> Fri, 13 Aug 2021 02:15:05 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-untrust-interface-eating-packets/m-p/426640#M1297 Connected123 2021-08-13T02:15:05Z