https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/inbound-inspection/m-p/560047#M422 <P>Hello,</P> <P>&nbsp;</P> <P>I have a question regarding inbound inspection in centralised model using Palo Alto Cloud NGFW, which was described here.</P> <P>I'm focusing on the&nbsp;<I><SPAN>Figure 11: Cloud NGFW is deployed to protect inbound traffic to a VPC (Single AZ).</SPAN></I></P> <P>&nbsp;</P> <P>In this architecture, the&nbsp;<STRONG>Application Load Balancer</STRONG> was deployed in central Security Account. My assumption is that you can bind multiple domains to the same ALB and route traffic to different internal web-server (i.e. example.com, example2.com), based on the host-header feature provided by the ALB. So far so good.&nbsp;</P> <P>&nbsp;</P> <P>But what if I want to provide inspection to services that are not working on HTTP/HTTPs protocols, i.e SFTP, FTP, SSH (and many others)? My first thought was to deploy another subnet in the central Security Account with Network Load Balancer. NLB works on layer 3/4, so it's not understanding host headers. Solution for that would be to create listeners on different ports and bind them to appropriate target groups, i.e:</P> <P>- 222 NLB -&gt; 22 (internal sftp-server-1)</P> <P>- 223 NLB -&gt; 22 (internal sftp-server-2).</P> <P>&nbsp;</P> <P>Is this viable solution or is there any other way to handle multiple services via the same central NLB?&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> Fri, 29 Sep 2023 14:32:34 GMT wilm25 2023-09-29T14:32:34Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/inbound-inspection/m-p/560047#M422 <P>Hello,</P> <P>&nbsp;</P> <P>I have a question regarding inbound inspection in centralised model using Palo Alto Cloud NGFW, which was described here.</P> <P>I'm focusing on the&nbsp;<I><SPAN>Figure 11: Cloud NGFW is deployed to protect inbound traffic to a VPC (Single AZ).</SPAN></I></P> <P>&nbsp;</P> <P>In this architecture, the&nbsp;<STRONG>Application Load Balancer</STRONG> was deployed in central Security Account. My assumption is that you can bind multiple domains to the same ALB and route traffic to different internal web-server (i.e. example.com, example2.com), based on the host-header feature provided by the ALB. So far so good.&nbsp;</P> <P>&nbsp;</P> <P>But what if I want to provide inspection to services that are not working on HTTP/HTTPs protocols, i.e SFTP, FTP, SSH (and many others)? My first thought was to deploy another subnet in the central Security Account with Network Load Balancer. NLB works on layer 3/4, so it's not understanding host headers. Solution for that would be to create listeners on different ports and bind them to appropriate target groups, i.e:</P> <P>- 222 NLB -&gt; 22 (internal sftp-server-1)</P> <P>- 223 NLB -&gt; 22 (internal sftp-server-2).</P> <P>&nbsp;</P> <P>Is this viable solution or is there any other way to handle multiple services via the same central NLB?&nbsp;</P> <P>Regards</P> <P>&nbsp;</P> Fri, 29 Sep 2023 14:32:34 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/inbound-inspection/m-p/560047#M422 wilm25 2023-09-29T14:32:34Z