topic Re: D-NAT not working in GCP in VM-Series in the Public Cloud

D-NAT not working in GCP

Mitesh_Nandu — Sun, 16 Oct 2022 13:27:25 GMT

Hello Everyone,

I have deployed PA-VM in GCP. In that we have configured 3 VPCs (MGMT, Untrust & Trust).

In the Trust VPC we have created Windows Server 2016, in PA we created D-NAT & Security policy.

In GCP, Under Trust VPC Firewall Ingress traffic is allowed & Route is forwarded to PA-VM instance with 500 priority.

For Untrust VPC - Firewall Ingress traffic is allowed & Route is pointing toward default internet gateway.

What I am missing here ?

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: D-NAT not working in GCP

fcorfdir — Sun, 16 Oct 2022 22:00:01 GMT

have you look to your rooting table ? I assume that your wan and internal interface are in DHCP mode ?

Re: D-NAT not working in GCP

Mitesh_Nandu — Mon, 17 Oct 2022 02:29:42 GMT

Hi Fcrofdir,

Both interfaces is configured on static.

Re: D-NAT not working in GCP

fcorfdir — Mon, 17 Oct 2022 02:38:53 GMT

does you create on the palo alto in trust vpc a route return to go back to the virtual router of the trust vpc.

do you create a default route in the untrust to send traffic to the gcp virtual router of the untruste VPC.

did you capture packet il the logs of the palo when you try to send traffic to internet from your winodws server 2016. on the nat screenshot the hit count is "0" meening that no traffic hiting this rules. or maybe no traffic hitting the firewall VM

Re: D-NAT not working in GCP

Mitesh_Nandu — Mon, 17 Oct 2022 04:53:01 GMT

Hi Fcrofdir,

I performed the below steps in GCP:-

1. Created 3 VPCs (MGMT, TRUST & UNTRUST).

2. Create ingress/egress Firewall rules on the vpc networks.

3. Modify the default route for the Trust network to use the Palo Alto instance.

4. Created Trust VPC Network route in Untrust VPC to use PA instance.

In PA performed below steps:-

1. Assigned Static IP Address Interfaces.

2. Created default route.

3. Created Source NAT & Security Policy for Trust VPC Network.

4. Created DNAT & Security Policy for Windows Server.

Kindly let me know which step I missed out.

Re: D-NAT not working in GCP

fcorfdir — Mon, 17 Oct 2022 05:56:33 GMT

it sound Great.

could you generate traffic from your Windows 2016 ? does it ping the PA trust interface ? do you see the traffic in the monitor traffic ? have you overide the intrazone default and teh intezone-default rulese in security policy to log fist packet and last.

if the nat hit coult in nat or the or security rules count don't increase that mind that there is something not working in the trust vpc config in GCP.

I remember in AWS that you have to disable the change source destination check on the Network interface when you set the ip in static on a network interface. I d'ont remeber if you have to do something like that in GCP.

Re: D-NAT not working in GCP

Mitesh_Nandu — Wed, 19 Oct 2022 09:07:10 GMT

Hi Fcrofdir,

Thanks for the hint.

While troubleshooting we found, it was hitting default intrazone rule which was blocked.

Than we changed in the custom rule and it started working.