Customer configured Palo firewall to work in Layer 2 mode to protect VLAN. In that VLAN there are two servers in MS NLB configuration. In VLAN configuration in Palo, static MAC entry is configured for virtual MAC address, but that entry isn't displayed with show mac command. See attached picture and listing:
mkopcic@PA-4020> show mac Bridge_4-440 | match 02:bf:0a:0b:08:f8
Application (HTTP portal) works if real IP adresses are used, but if virtual IP adress is used, application is unreachable. Ping to virutal IP address is working. On Palo I captured dropped packets and saw that Palo is dropping traffic to NLB virtual address. See attached file.
Does anyone have idea why Palo is dropping traffic?
Traffic blocked on Palo looks like that:
Source IPx, MACx -> Dest: IP virtual, MAC virtual SYN
Source: IP virtual, MAC real -> Dest: IPx, MACx SYN ACK
Does Palo drop session because is getting response from different MAC address?
And why NLB works ok on virtual-wire configurations???
Thank you and regards,
We don't use our Palo Altos in L2 mode; but in L3 mode we need to place a static ARP entry mapping the NLB IP address through to the NLB MAC address on the firewalls.
This obviously isn't going to apply to an L2 firewall - but do you have a static ARP entry defined on whichever L3 router/devices that are on the same subnet as the NLB address and communicating with it?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!