topic Re: How to secure outbound traffic from Azure? in VM-Series in the Public Cloud

How to secure outbound traffic from Azure?

PepsiEComm — Thu, 15 Sep 2022 20:04:01 GMT

This question might sound stupid but I'm banging my head against the wall trying to figure out how to make this work and I cannot find any documentation anywhere on this website that answers this (simple) question.

I'm trying to setup a VM Series Palo Alto firewall in Azure, to secure outbound (not inbound) traffic from my Azure virtual machines to the internet.

I've already deployed the VM Series Firewall according to these instructions here - Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) (paloaltonetworks.com) - right through to the end.

I added a load balancer that sits in front of the virtual machine's trust interface, and set a route in the Route Table for the subnets my virtual machines are running on to direct 0.0.0.0/0 traffic to this load balancer's front end. Everything I've read to date says this how to get outbound traffic to go through the firewall.

But when I do this, all my connectivity just breaks. I can't make any outbound connections at all. I added a basic rule to whitelist/allow all traffic in the firewall just to test that the traffic is getting forwarded correctly but still, nothing works. I tried looking at the firewall logs but my outbound requests aren't even showing up as going to the firewall at all (logs are completely empty). Is there some additional configuration I'm supposed to do in PaloAlto PAnOS interface to make this work, and if so, what the heck is it? I can't find any documentation anywhere that says what I'm actually supposed to do.

Re: How to secure outbound traffic from Azure?

raji_toor — Fri, 16 Sep 2022 19:31:39 GMT

@PepsiEComm Looks like your load balancer is not operational. Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.

Re: How to secure outbound traffic from Azure?

PepsiEComm — Mon, 03 Oct 2022 16:41:47 GMT

Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.

I don't really understand this - there needs be a route configured to 168.63.129.16/32 on palo alto side? or in the load balancer in Azure? If it's on a separate VR how would I get the original VR to work? I'm very confused.

Re: How to secure outbound traffic from Azure?

slashBack — Tue, 04 Oct 2022 13:53:29 GMT

I think he was suggesting that traffic was not being forwarded by your internal Load Balancer (LB) to the firewall(s). The LB should be configured with the Palo-Alto's in a backend pool and sending traffic to them if they are 'up' which is done by the LB sending a health probe on port 22. Check the insights/metrics on the LB to see if health probe status is 100%. If not investigate what is blocking the probe.

Re: How to secure outbound traffic from Azure?

slashBack — Tue, 04 Oct 2022 13:57:41 GMT

Forgot to say that the 'source' of the health probes is 168.63.129.16/32. Check your NSG's on your palo-alto nics and if applicable your subnets to see if this allowed, best practice is to use the source tag 'AzureLoadBalancer' instead of the IP for your NSG rule

Re: How to secure outbound traffic from Azure?

slashBack — Tue, 04 Oct 2022 13:58:49 GMT

Reference Architecture Guide for Azure - Palo Alto Networks - Page 44

Re: How to secure outbound traffic from Azure?

PepsiEComm — Fri, 07 Oct 2022 16:21:57 GMT

The load balancer is set up with port 22 as the health check, the IP address is correct and everything is in the same virtual network, there is no NSG on the palo alto interfaces, yet the health probe is coming back unhealthy.

Is there any configuration I have to do inside palo alto VM to make it accept connections? Is there some resource I can use to figure this out other than having to read a 66 page manual??

Re: How to secure outbound traffic from Azure?

PepsiEComm — Fri, 07 Oct 2022 17:05:57 GMT

That page talks about inbound traffic, my use case for paloalto is to have firewall for outbound traffic only.

Re: How to secure outbound traffic from Azure?

raji_toor — Sun, 09 Oct 2022 05:54:52 GMT

Do you have two VR's?

In summary this is how it works

VR-INT

point route for 168.63.129.16 towards internal interface

point route for internal networks of vnet/subnets towards internal interface

point default route to VR-EXT

VR-EXT

point default route to external interface

point internal routes to VR-INT

If hosting webservers point route to 168.63.129.16 towards external interface for use by external load balancers, if using load balancer on external and have 2 Palos

Assign public IP in Azure to external interface or use NAT gateway

Setup NAT on Palos

Setup UDR's correctly

Re: How to secure outbound traffic from Azure?

aleksandar.astardzhiev — Sun, 09 Oct 2022 16:10:10 GMT

Hi @PepsiEComm ,

I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

Re: How to secure outbound traffic from Azure?

PepsiEComm — Tue, 11 Oct 2022 22:30:15 GMT

@aleksandar.astardzhiev wrote:

Hi @PepsiEComm ,

I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

I'm using a load balancer because that's what the guide said under Step 8:

Gateway
—Deploy a third-party load balancer in front of the UnTrust zone.

Is there a simpler way to do this if you only have one firewall instance and have no need for load balancing or HA?

I just tried setting the Azure route table to skip the load balancer step entirely, to just send traffic directly to the IP address of the Trust interface as well as trying it again to go direct to the IP address of the Untrust interface and there's still the same problem, nothing routes and nothing shows up in the traffic logs.

Is there a quick start guide like this one - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-on-azure-solution-template#ide37bac08-683a-4245-a412-2f74a56855f - for this topic? I'm not trying to do rocket science here, just literally trying to get an Azure virtual machine to use the firewall for outbound traffic.

Re: How to secure outbound traffic from Azure?

Nox_Porto — Mon, 15 May 2023 11:41:04 GMT

Hi Pepsi EComm,

I have the same problem as you, I have configured the route table, I have configured everything related to my palo alto. But I have no way to make the outgoing traffic from my VMs go through the Firewall.

You managed to solve this problem.

Thank you very much in advance.

Best regards