topic Re: Public Web Server, Secondary IP Address, and Loopback Interface in General Topics

Public Web Server, Secondary IP Address, and Loopback Interface

cdpeek — Thu, 02 Jan 2020 15:55:42 GMT

We have a VM-100 running 9.0.3.xfr to do some testing. This is currently setup on AWS, and we are trying to support traffic for multiple public web server's being sent through the firewall. There are the three standard zones and network interfaces (Untrusted, Trusted, and Management). The Untrusted has a public IP (Elastic IP) and internal subnet IP (AWS does the NAT for this).

A secondary IP address was created (different public IP NAT'd by AWS to different internal subnet IP) for the first public web server, and attached to the same network interface as the Untrusted. Additionally, this secondary IP address has to be NAT'd using the firewall's NAT Policy to direct it to the internal web server IP.

This knowledgebase article (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0) suggested the preferred way was to setup the secondary IP as a loopback, apply a different security zone, and then security policies could be written using this additional security zone assigned via the loopback interface. This was done with an additional security zone called Public Web.

The only way I can get it to work is with a NAT policy configured in a way that changes the security zone from Public Web to Untrusted (which happens first). Then all of the Security Policy rules cannot use the Public Web security zone, and can only use the Untrusted zone.

Is there a way to do what is described in the article? Am I missing something from the article?

Re: Public Web Server, Secondary IP Address, and Loopback Interface

cdpeek — Fri, 03 Jan 2020 17:44:22 GMT

So I spoke with support, and received further information. The general summation is that the loopback interfaces work differently on the VM series (virtual firewalls) as compared to hardware firewalls. The article was written for a hardware firewall.

Support explained that the loopback interface on the VM series in a cloud environment does not handle packets in the same way. The cloud provider infrastructure knows nothing of the loopback interface nor it's routing. Using a loopback interface in the VM series does not allow you to change the security zone as described in the article.

Support Summary:

This is specifically written for a hardware firewall which can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.

VM has two part of the interface/zone configuration, one on Firewall itself and corresponding interface association in AWS side. If you just configure a loopback, AWS does not know about this interface, hence the route lookup may fail.

Re: Public Web Server, Secondary IP Address, and Loopback Interface

NahushRajgor — Thu, 11 Jan 2024 01:19:22 GMT

so, are you saying the solution is to:

1. configure a Pub. <-> Private IP mapping in AWS on its External interface.

2. on PA VM configure Lo. in same zone as where the Ext. interface (or Outside in terms of FW) is defined

3. Create a Sec. policy for access to this Lo. as per requirement.

is this the solution then?