topic Re: Azure NGFW VNet Deployment - No Outbound Internet Access in Cloud NGFW for Azure Discussions

Azure NGFW VNet Deployment - No Outbound Internet Access

GraysonDenny — Tue, 05 Mar 2024 19:33:33 GMT

Deployed a NGFW deployment for a customer. Using the VNet deployment, not VWAN. Everything is green (DG and Template) and healthy from the Panorama aspect.

We have created a UDR in a test application VNET, that points only a default route to the NGFW firewalls.

East/West connectivity works great. We are also able to access everything across the expressroute as well.

However, when we trying to ping or curl a website from the test application linux VM from above, we are not able too. The really weird thing is that we do not see ANY logs in Panorama for this connection. We overwrote the default rules, so we could log all traffic, allowed or denied. The Source NAT is configured in the Azure portal.

We deployed a second VNet, same issue. There are no NSGs applied to the VM NICS. UDR is good, confirmed via Network Watcher connection testing. I am at a complete loss on this.

Also, when opening a ticket on this, do we open it with Microsoft or Palo first (or just do both).

Edit: I confirmed outbound works directly from the VM when I change the UDR to Internet just to validate nothing is wrong with the VM.

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

JayGolf — Wed, 06 Mar 2024 06:52:13 GMT

Hi @GraysonDenny ,

Can you access the local firewall and see if there are any logs? Have you assigned Azure Public IP Adresses on network interface of Palo-vm?

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

GraysonDenny — Wed, 06 Mar 2024 17:48:24 GMT

You can't access the firewalls locally, these are the SaaS firewalls, where "I" don't have access to them.

Public IP's are on them.

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

skorbee — Tue, 12 Mar 2024 07:25:34 GMT

Had an similair or same issue.

Traffic north sound started working after i placed an Networks security group on the NGFW SAAS Private subnet.

The NSG did need an inbound rule from virtualnetwork to Internet -> allow gave it an any any....

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

GraysonDenny — Tue, 19 Mar 2024 16:15:43 GMT

This was indeed my issue. According to the Palo documentation, when the SaaS firewalls get deployed in the Azure Portal, the template is supposed to deploy the NSGs and attach them to the private subnet. However, that is not the case, Azure does not deploy the required NSGs like documentation suggests. So would be nice if someone from Palo could add that to the deployment guide, because no where does it mention that, that I can find.

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

Karthikkumar — Wed, 08 May 2024 20:10:24 GMT

Does anyone find the fix for this issue ? am having an similar issue where we are unable to access the internet via Cloud NGFW and no traffic seen on Panorama and no hits on the policy and SNAT

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

Sec101 — Thu, 22 Aug 2024 13:45:13 GMT

@GraysonDenny

You mean to tell me that a NSG HAS to be deployed to the vnets in question in order for this to work? So there must be some qualification in the background in Azure itself in order to get this to work?

Doesn't traffic in Azure vnets just flow with a base NSG either way- Even if you didnt have a palo firewall installed, doesn't a vnet get a "default" nsg that azure just assigns in the background that is basically Any Any?

Re: Azure NGFW VNet Deployment - No Outbound Internet Access

MP18 — Fri, 26 Dec 2025 17:12:13 GMT

@Sec101 We deployed Cloud NGFW in Azure and we were unable to see the Internet Traffic Inbound to the Cloud NGFW.

As per PA it use LB and we need to config NSG for Public Subnet to allow 443 traffic.

Agree there is no public documentation on it.

Regards