topic Re: Public Inbound Traffic not hitting the firewall in VM-Series in the Public Cloud

Public Inbound Traffic not hitting the firewall

Abhijeet007 — Sat, 13 Jun 2020 17:32:45 GMT

Hi Team, I have set-up a Palo Alto appliance in Azure and i am trying to allow public access (RDP) to a server in Azure via the firewall. Here's what I have done:

Attached a public IP to the Untrust interface of the Firewall (NSG attached to allow all traffic)
Defined this Public IP in Untrust ethernet in the firewall
Defined a NAT and security policy to allow natting to the private IP and these are correct (tested via GUI and SSH)

Now, the issue is when I try to RDP to the public IP, the traffic is not even hitting the firewall. Need urgent help on this.

Thanks

Re: Public Inbound Traffic not hitting the firewall

claudec — Sat, 13 Jun 2020 19:00:49 GMT

The public IP should not be defined on the firewall. The firewall interfaces should be configured for DHCP and have static assignments from the trust/untrust VNETS.

You can optionally have the firewall learn the default route via DHCP or configure it statically.

Re: Public Inbound Traffic not hitting the firewall

Ezekoli — Sat, 13 Jun 2020 19:40:52 GMT

Hi,

Ensure that the protocol is set to TCP not UDP. Confirm the TCP port is 3389.

Thanks

Re: Public Inbound Traffic not hitting the firewall

Abhijeet007 — Sat, 13 Jun 2020 19:50:28 GMT

I have this set-up in HA, if I enable DHCP, I cannot define IPs there in the interface.

Re: Public Inbound Traffic not hitting the firewall

Abhijeet007 — Sat, 13 Jun 2020 19:51:09 GMT

It is set to any at this point. So, I don't think that should be the issue.

Re: Public Inbound Traffic not hitting the firewall

claudec — Sat, 13 Jun 2020 22:14:56 GMT

Traditional HA is not typically the preferred solution for high availability in the cloud.

That said, even with a traditional HA config, the public IP is not configured on the firewall. The interface IP addresses are from the directly connected subnets, including the IP that acts as the "floating" IP when the firewalls fail over.

The "floating" IP is a private/static IP defined in azure and configured as a secondary interface IP on the firewall. A public IP is then associated with this "floating" private IP in Azure.

Re: Public Inbound Traffic not hitting the firewall

Abhijeet007 — Sun, 14 Jun 2020 08:09:52 GMT

Got the trick. Although the way I defined the Public IP was correct. The Palo does not see the traffic with PIP, I changed the NAT and security policy to land to the Private IP on which the Public was defined and it worked.

Re: Public Inbound Traffic not hitting the firewall

claudec — Sun, 14 Jun 2020 15:36:57 GMT

That is correct. The only time, I recall, that the firewall will see the original, un-translated public destination IP is when you front end the firewall with a public standard load balancer and enable the "floating IP" option. In that configuration, you do reference the public IP associated with the load balancer in the NAT policy of the firewall.

It wasn't clear from your original post that you were attempting to use the public IP in your NAT rule so sorry for that assumption on my part.

When you associate a public IP to a private IP in Azure it handles the NAT. That is why you don't need a public IP configured on the management interface of the firewall, just like you don't need a public IP configured on the un-trust interface.