topic Re: PA Azure no public traffic ingressing in VM-Series in the Public Cloud

PA Azure no public traffic ingressing

LukeBullimore — Thu, 31 Oct 2019 11:34:04 GMT

Hi Team,

I've set up a public load balancer, with its respective backend pool pointing to the firewalls untrust interfaces and a test load balancing rule, but no matter what, nothing is ingressing on our public interface! The weird thing is, the untrust interface the firewall has, also has a public IP attached to it, and I'm not seeing any generic scanner traffic ingressing on the untrust interface either?

I can ping from the outside interface to google, and vms within trust can also get out to the internet, so return traffic is working. The health probe status is also 100 for both firewalls. No NSGs attached.

Help!

Re: PA Azure no public traffic ingressing

jmeurer — Thu, 31 Oct 2019 12:16:21 GMT

Did you attach an NSG to the Untrust interface? When you assign a PIP to the interface an NSG is required even if it allows all traffic.

Re: PA Azure no public traffic ingressing

LukeBullimore — Thu, 31 Oct 2019 12:30:01 GMT

Hey @jmeurer

Didn't originally since I thought no NSG meant allow all. I've applied an allow-all one to the untrust interface now and I'm seeing traffic thats hitting the palos untrust public IP. but not the public ip of the load balancer, any ideas?

Re: PA Azure no public traffic ingressing

jmeurer — Thu, 31 Oct 2019 12:42:14 GMT

Are you seeing the Health probe traffic? Azure's LB does not easily report pool member status, you have to go to Metrics. The easiest way to determine if the Health Probes are working is to ensure you see the traffic in the FW Monitor/Session Browser and ensure it is completing.

Re: PA Azure no public traffic ingressing

LukeBullimore — Thu, 31 Oct 2019 13:54:05 GMT

Looking at the metrics, both firewalls are showing as 100% healthy.

The traffic is now coming from outside -> into the load balancer -> into the firewall -> we are sending it from the firewall to the test web server but if we do a pcap on the test web server, it doesn't see anything.

Re: PA Azure no public traffic ingressing

jmeurer — Thu, 31 Oct 2019 14:02:08 GMT

Assuming your SNAT/DNAT rules are correct, routes in the firewall send the traffic through proper interface to get to the internal site, Azure route tables and NSGs all correct, I believe you are at the point of reaching out to you Account SE and Support for further eyes on console diagnostics.

Re: PA Azure no public traffic ingressing

gangqu — Thu, 18 Jun 2020 12:24:47 GMT

We ran into this very same issue. The solution for us was to enable the "Floating IP" in the "load balancing rules" section in Azure.