https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338417#M878 <P>For your outbound flows, you can just configure a Panorama based NAT policy that uses a source translation that references the egress interface.</P><P>&nbsp;</P><P>If for some other reason a NAT policy needs to be different on each firewall in the LB pair you could just use rule targets.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="claudec_0-1594732907673.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26769iB5A9E27A561CE5ED/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="claudec_0-1594732907673.png" alt="claudec_0-1594732907673.png" /></span></P><P>&nbsp;</P> Tue, 14 Jul 2020 13:23:06 GMT claudec 2020-07-14T13:23:06Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338324#M877 <P>I have two gateways in Azure operating as an active/active pair. They use the load balancer sandwich topology. I'd like to manage the pair from Panorama. Having a shared policy appears to be difficult.&nbsp; The two can share a security policy easily enough. But the rules in a NAT policy reference IP addresses specific to a firewall. Example; a source nat which uses the egress interface (and IP) of a gateway.</P><P>Do I need to use individual templates/device-groups/policies in Panorama? Or is there a way for the two gateways to share a policy?</P><P>&nbsp;</P><P>EDIT: I can set variables in a template in Panorama and set the value of those variables for a specific device. Variables can then be used for things like interface IP addresses and route tables. However i dont seem to be able to use a variable as the IP address in a NAT rule.</P><P>Thanks Claudec. If i set the interface ip to 'none' on the source nat (interface) rule, the rule still works fine.</P> Wed, 15 Jul 2020 02:12:16 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338324#M877 JimMcGrady 2020-07-15T02:12:16Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338417#M878 <P>For your outbound flows, you can just configure a Panorama based NAT policy that uses a source translation that references the egress interface.</P><P>&nbsp;</P><P>If for some other reason a NAT policy needs to be different on each firewall in the LB pair you could just use rule targets.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="claudec_0-1594732907673.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26769iB5A9E27A561CE5ED/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="claudec_0-1594732907673.png" alt="claudec_0-1594732907673.png" /></span></P><P>&nbsp;</P> Tue, 14 Jul 2020 13:23:06 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338417#M878 claudec 2020-07-14T13:23:06Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338455#M879 <P>The firewalls can be apart of the same Device Group and Template Stack.&nbsp;</P><P>&nbsp;</P><P>For inbound NAT policies, the set the source interface to the untrust NIC and the destination address to "any".&nbsp; The DNAT address must be set to dynamic-destination-translation.&nbsp;&nbsp;</P><P>&nbsp;</P><P>The example below has 2 inbound DNAT policies (jump-server and web-server) and 1 outbound SNAT (for outbound internet).&nbsp; Ethernet1/1 is untrust and Ethernet1/2 is trust.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2020-07-14 at 12.27.39 PM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26777i5F27F340207D9AC0/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2020-07-14 at 12.27.39 PM.png" alt="Screen Shot 2020-07-14 at 12.27.39 PM.png" /></span></P><P>&nbsp;</P><P>(Optional &amp; only if using Azure's public load balancer):&nbsp; If you enable "Floating IP" on the load balancing rule, the original packet's destination address can be set to the load balancer's public IP.&nbsp; This is useful if you have multiple applications that share the same port.&nbsp;&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-07-14 at 12.40.38 PM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26778i88F89B839BF0150F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2020-07-14 at 12.40.38 PM.png" alt="Screen Shot 2020-07-14 at 12.40.38 PM.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 14 Jul 2020 16:43:20 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/338455#M879 mmclimans 2020-07-14T16:43:20Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/541629#M1882 <P>I don't understand how you d-nat for entire ip address range....whats the purpose of using public load balancer if you have to define sources and ports for all things?</P> Wed, 10 May 2023 00:36:39 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-and-panorama/m-p/541629#M1882 S_Williams901 2023-05-10T00:36:39Z