topic Re: Palo VM300 Azure routing issues? in VM-Series in the Public Cloud

Palo VM300 Azure routing issues?

BeyondPalo — Fri, 14 Sep 2018 16:50:23 GMT

Working with a Palo VM300 series in Azure and have some issues that I just can't figure out...

We have the VM inside of a 10.x.x.x/16 subnet. 1 subnet (10.x.x.x/24) carved for each of the interfaces (trusted, un, mngmt) and 4 more subnets for various other VMs and such. We have UDRs setup for all 3 interfaces as well as a UDR setup for the other subnets. The plan is to push all traffic in, out, and between subnets through this single Palo unit.

We have 2 virtual routers built out; 1 for trusted, and 1 for untrusted interface. Trusted VR receives traffic internal and pushes internet traffic to the Untrust VR, and all traffic meant for subnet cross traffic is supposed to be forwarded to the Trust interface gateway and then should get to the correct subnet (barring any rules).

What we see is when trying a ping; the icmp is allowed through the rules, but then ages out so no reply back from the second VM. I believe there's an issue in these VRs but I can't seem to track it down. I've seen a lot of docs showing that Palo can be run in 1 vnet/multiple subnets with 1 interface but not really sure how this works. My only other FW experience is SonicWall so 1 port 1 zone makes sense but the 1 port many zones sure doesn't.

Anyone know what to look for in either the Palo or Azure? I'm really not even sure the Azure UDRs are correct but everything I've read points to them being right (Palo documentation and online forums) so really I'm kinda at a brick wall on where to go next. Hopefully all of this makes sense as this is my first rodeo working with Palo and Azure.

Thanks

Re: Palo VM300 Azure routing issues?

jperry1 — Fri, 14 Sep 2018 17:45:14 GMT

Question 1. Is there a particular reason that you are using two separate VRs?

If not I am not a fan for unecessary complexity but if you have a valid reason then please feel free.

If you use a VR you have to be sure to route traffic between VR's correctly by using the "Next VR" setting etc or you could have a black hole.

Re: Palo VM300 Azure routing issues?

BeyondPalo — Fri, 14 Sep 2018 17:56:57 GMT

We are a small company right now and don't have a full time Network Engineer/Admin/etc. so there's 2 of us that are trying to make all of this work with a consultant. The consultant built 2 VRs as I assume for some sort of extra security but I don't understand what they really do. I assume they are similar to say a SonicWall's route section; just done in something called Virtual routers but I can't be sure (the different lingo Palo uses is confusing to me as well but that's no biggie).

Here's the Trust VR settings:

This looks like it shunts all internet traffic over to the Untrust interface VR to handle, and then shunts all inter-subnet traffic to the gateway that the Trust interface is attached to. I would assume that gateway would know where the other subnets are once traffic hits that but it looks like we're missing something somewhere as traffic just dies at some point..

Maybe we are missing routes? I understand Palo can do all this with 1 interface as we've been thinking about dropping extra NICs on the VM into each subnet to see if that helps but would hate to do that since it's not what Palo docs say for this type of setup.

Thanks!

Re: Palo VM300 Azure routing issues?

jperry1 — Fri, 14 Sep 2018 18:50:22 GMT

Are you using Azure load balancers in this scenario?

Also if you can go to your CLI and run the command

>show routing route

Paste the output

Re: Palo VM300 Azure routing issues?

BeyondPalo — Fri, 14 Sep 2018 19:04:07 GMT

We are not using any load balancers right now.

After running the command provided here's what I see:

Thanks!

Re: Palo VM300 Azure routing issues?

jperry1 — Fri, 14 Sep 2018 20:10:03 GMT

Your untrust VR needs to have routes for "NextVR" in order to understand how to get back to the 10.x.x.x networks.

Re: Palo VM300 Azure routing issues?

OtakarKlier — Tue, 18 Sep 2018 15:51:31 GMT

Hello,

I second @jperry1 recommendation of a single VR, unless there is an absolutle compelling reason to use multiple. Especially for a small shop such as yours. The simpler it is setup the easier it will be on you to manage it.

Regards,