Azure AppGateway thinks VM Series firewall is unhealthy

rajindersingh — Sat, 22 Sep 2018 21:50:29 GMT

I am implementing this scenrio

https://github.com/PaloAltoNetworks/azure-applicationgateway

Here is the flow of traffic

internet->App Gateway(public ip)->VM Series-> ILB->Web Servers(4)

I only have 1 firewall appliance for now.

Azure application gateway connects with Palo Alto VM Series over port 80.

Application gateway keeps on thinking that firewall VM is unhealthy.

There is no custom probe configured in the template above.

So it expects HTTP 200 but is not getting it.

AppGateway only supports HTTP and HTTPS in the backend.

Perhaps this error is due to missing configuration in the firewall.

What type of configuration do I need to do in the firewall to return valid response over port 80 so it appears healthy to app gateway.

I have define UnTrust and Trust zones

I have configured the Interfaces

I have configured NAT with a static route.

I created a linux VM in the same subnet as the internal load balancer and web servers.

I can curl successfully to the website and get HTTP 200.

I have verified that VM Series firewall VM does allow

What needs to happen in the firewall VM it it respond with http 200 to the health checks from application gateway?

Thanks

Re: Azure AppGateway thinks VM Series firewall is unhealthy

jperry1 — Tue, 23 Oct 2018 16:12:31 GMT

If this is a default build in Github then you should be able to reach out to Palo Alto NEtworks TAC for support. The GitHub Read me page will list the support policy of whether the GitHub template you are deploying is community supported or Officially TAC supported.

topic Re: Azure AppGateway thinks VM Series firewall is unhealthy in VM-Series in the Public Cloud

Azure AppGateway thinks VM Series firewall is unhealthy

Re: Azure AppGateway thinks VM Series firewall is unhealthy