Azure - no traffic to untrust public ip

Reply
L1 Bithead

Azure - no traffic to untrust public ip

I've followed the instructions here and can't get traffic to my untrust public IP: https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/set-up-the-vm-series...

 

I'm using the Azure BYOL template (version 8.1) and can see my PA interfaces getting the proper azure NIC IPs as the document describes. I then setup a public IP for that untrust NIC and tried creating a GlobalProtect gateway and portal, but cannot get any traffic to the public IP to view the GP portal. I've tried just about everything I can think of, even making sure "firewalls" are all basically wide open. 

 

Basically, I'm just trying to setup a basic VPN from internet to an existing VNET, I don't understand the need for trust and untrust. I basically just want one external IP to allow users to connect to that then assigns an IP and routes into my Azure VNET. Any help appreciated.

L5 Sessionator

Re: Azure - no traffic to untrust public ip

Can you make sure IP forwarding is enabled on Eth1 which would be the Untrust interface on the firewall in Azure?

 

IPForwarding.PNG

L1 Bithead

Re: Azure - no traffic to untrust public ip

It is enabled. I don't think I set those, so I believe they were set by the ARM template. Both trust and untrust interfaces have IP forwarding enabled.

 

I think the issue is NAT related. I can see the expected packets in the "drop" packet capture log.

L5 Sessionator

Re: Azure - no traffic to untrust public ip

Please provide a link to that template from GitHub or where you received this template?

L1 Bithead

Re: Azure - no traffic to untrust public ip

To be honest, I'm not sure exactly which template is used. When selecting the VM-Series Next Generation Firewall (BYOL) in the marketplace, it only says this: 

 

Documentation and sample ARM templates: http://azure.paloaltonetworks.com

 

However, not much is mentioned on that site.

 

I would imagine the templates are here. However, I'm not sure exactly which one is used.

 

https://github.com/PaloAltoNetworks/azure

 

I do see that this one has IP forwarding enabled: https://github.com/PaloAltoNetworks/azure/blob/master/vmseries-test-drive/main-template.json#L320

L5 Sessionator

Re: Azure - no traffic to untrust public ip

The link you sent me takes me to the Test Drive registration page? Is this a test drive? If so which one did you register for specifically? I'm not familiar with the Test Drives but the more I know about it I can direct you to the appropriate party. 

 

Did you launch via azure deploy button on github? How was this BYOL template launched? If it is a test drive does it list how to get assistance within the test drive?

L5 Sessionator

Re: Azure - no traffic to untrust public ip

Try this in the meantime

 

1. Go to the interface, go to the DHCP options and uncheck the option to automatically add the default gateway

2. Do this for both Trust and untrust

3. Go into the virtual route and statically add the default gateway for both the trust and untrust interfaces. They should point to .1 of the subnet that is assigned to the interface via DHCP

L1 Bithead

Re: Azure - no traffic to untrust public ip

Sorry for the confusion. I used the Azure marketplace version of the VM series, not the "deploy" button from github. I'm assuming they're similar. I'm not sure of the actual template that was used.

L1 Bithead

Re: Azure - no traffic to untrust public ip

This was it, thank you! I knew something seemed wrong with all of this. The documentation needs to reflect the fact that the untrust and trust that obtain the IPs via DHCP don't have a default gateway.

 

The instructions do mention to unckeck the option to add the default gateway, but even checking those don't work (one of my attempts to get things working was to try that, to no avail).

 

For future generations (in case the original document isn't updated).

 

Go into the Palo Alto web interface --> Network --> Virtual Routers --> default

 

Static Routes --> add:

 

Destination: 0.0.0.0/0

Interface: ethernet1/1

Next Hop: IP Address and specify the .1 like @jperry1 mentioned (typically you have .4 assigned to the VM by Azure).

(e.g. machine got 10.2.1.4, use 10.2.1.1 as the next hop).

 

---------

 

Now to figure out how to get a GlobalProtect agent installer so that when someone tries to click the download in the portal, they don't get "errors.txt" to download...

 

L5 Sessionator

Re: Azure - no traffic to untrust public ip

 

Thanks for the update. Unless we go into the interface and check that we want to receive default gateway interfaces then it will not provide them. Only the management interface will receive them by default. 

That being said that is usually part of the config process on the PAN for interfaces to receive DHCP. 

There may be a weird occurance where the interfaces receive a 168 for the default gateway instead of a the default gateway of .1. I have seen that before in which I have to manually add the route in the virtual router.  But you should be able to check DHCP option to add the default route and for the most part that will work. Thanks again and take care. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!