topic Firewalls in Active Active using Azure Internal Load balancer in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/firewalls-in-active-active-using-azure-internal-load-balancer/m-p/1226318#M2363 <P>Hi, we have deployed Palo-alto firewalls on Azure and a Standard Internal Load Balancer with single front-end IP and single backend pool, does LB maintain session state if -</P> <P>(1) communication is sourced from Azure VNET destined to On-premise ?</P> <P>(2) communication is sourced from On-premise destined to Azure VNET ?</P> <P>&nbsp;</P> <P>We don't have a Virtual Network Gateway deployed instead we have a Cisco vMX SDWAN in Azure VNET that extend the connectivity to on-premise, so for on-premise communication we are routing all traffic (after firewall inspection) to Cisco vMX SDWAN which further forwards the traffic to on-premise.</P> <P>Currently all traffic between the Azure VNETs are routing through Azure ILB are working and no issues have been reported so far but traffic which sends outside to Azure for on-prem where we are observing asymmetric of routing causing drops on firewall intermittently specifically we observed issues for SNMP and UDP protocols so would like to understand whether this type of design supports by Palo Alto on Azure using Azure ILB</P> Fri, 11 Apr 2025 06:47:05 GMT SShaikh647896 2025-04-11T06:47:05Z Firewalls in Active Active using Azure Internal Load balancer https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/firewalls-in-active-active-using-azure-internal-load-balancer/m-p/1226318#M2363 <P>Hi, we have deployed Palo-alto firewalls on Azure and a Standard Internal Load Balancer with single front-end IP and single backend pool, does LB maintain session state if -</P> <P>(1) communication is sourced from Azure VNET destined to On-premise ?</P> <P>(2) communication is sourced from On-premise destined to Azure VNET ?</P> <P>&nbsp;</P> <P>We don't have a Virtual Network Gateway deployed instead we have a Cisco vMX SDWAN in Azure VNET that extend the connectivity to on-premise, so for on-premise communication we are routing all traffic (after firewall inspection) to Cisco vMX SDWAN which further forwards the traffic to on-premise.</P> <P>Currently all traffic between the Azure VNETs are routing through Azure ILB are working and no issues have been reported so far but traffic which sends outside to Azure for on-prem where we are observing asymmetric of routing causing drops on firewall intermittently specifically we observed issues for SNMP and UDP protocols so would like to understand whether this type of design supports by Palo Alto on Azure using Azure ILB</P> Fri, 11 Apr 2025 06:47:05 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/firewalls-in-active-active-using-azure-internal-load-balancer/m-p/1226318#M2363 SShaikh647896 2025-04-11T06:47:05Z Re: Firewalls in Active Active using Azure Internal Load balancer https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/firewalls-in-active-active-using-azure-internal-load-balancer/m-p/1226723#M2365 <P>For inbound traffic like a web server you need a source and destination NAT. The internal LB is bypassed. For traffic initiated outbound the default gateway needs to be the internal LB. Most likely you are having a NAT problem causing asymmetrical routing. It bit me.</P> Wed, 16 Apr 2025 14:58:15 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/firewalls-in-active-active-using-azure-internal-load-balancer/m-p/1226723#M2365 Carleton 2025-04-16T14:58:15Z