Palo VM300 Azure routing issues?

L1 Bithead

Palo VM300 Azure routing issues?

Working with a Palo VM300 series in Azure and have some issues that I just can't figure out... 

 

We have the VM inside of a 10.x.x.x/16 subnet. 1 subnet (10.x.x.x/24) carved for each of the interfaces (trusted, un, mngmt) and 4 more subnets for various other VMs and such. We have UDRs setup for all 3 interfaces as well as a UDR setup for the other subnets. The plan is to push all traffic in, out, and between subnets through this single Palo unit. 

 

We have 2 virtual routers built out; 1 for trusted, and 1 for untrusted interface. Trusted VR receives traffic internal and pushes internet traffic to the Untrust VR, and all traffic meant for subnet cross traffic is supposed to be forwarded to the Trust interface gateway and then should get to the correct subnet (barring any rules). 

 

What we see is when trying a ping; the icmp is allowed through the rules, but then ages out so no reply back from the second VM. I believe there's an issue in these VRs but I can't seem to track it down. I've seen a lot of docs showing that Palo can be run in 1 vnet/multiple subnets with 1 interface but not really sure how this works. My only other FW experience is SonicWall so 1 port 1 zone makes sense but the 1 port many zones sure doesn't.

 

Anyone know what to look for in either the Palo or Azure? I'm really not even sure the Azure UDRs are correct but everything I've read points to them being right (Palo documentation and online forums) so really I'm kinda at a brick wall on where to go next. Hopefully all of this makes sense as this is my first rodeo working with Palo and Azure.

 

Thanks

L5 Sessionator

Re: Palo VM300 Azure routing issues?

Question 1. Is there a particular reason that you are using two separate VRs?

If not I am not a fan for unecessary complexity but if you have a valid reason then please feel free. 

If you use a VR you have to be sure to route traffic between VR's correctly by using the "Next VR" setting etc or you could have a black hole. 

 

 

L1 Bithead

Re: Palo VM300 Azure routing issues?

We are a small company right now and don't have a full time Network Engineer/Admin/etc. so there's 2 of us that are trying to make all of this work with a consultant. The consultant built 2 VRs as I assume for some sort of extra security but I don't understand what they really do. I assume they are similar to say a SonicWall's route section; just done in something called Virtual routers but I can't be sure (the different lingo Palo uses is confusing to me as well but that's no biggie).

 

Here's the Trust VR settings:

 

trustVR.PNG

 

This looks like it shunts all internet traffic over to the Untrust interface VR to handle, and then shunts all inter-subnet traffic to the gateway that the Trust interface is attached to. I would assume that gateway would know where the other subnets are once traffic hits that but it looks like we're missing something somewhere as traffic just dies at some point.. 

 

Maybe we are missing routes? I understand Palo can do all this with 1 interface as we've been thinking about dropping extra NICs on the VM into each subnet to see if that helps but would hate to do that since it's not what Palo docs say for this type of setup.

 

Thanks!

L5 Sessionator

Re: Palo VM300 Azure routing issues?

Are you using Azure load balancers in this scenario?

Also if you can go to your CLI and run the command

>show routing route

 

Paste the output

L1 Bithead

Re: Palo VM300 Azure routing issues?

We are not using any load balancers right now. 

 

After running the command provided here's what I see:

 

routepalo.PNG

 

Thanks!

L5 Sessionator

Re: Palo VM300 Azure routing issues?

Your untrust VR needs to have routes for "NextVR" in order to understand how to get back to the 10.x.x.x networks. 

L7 Applicator

Re: Palo VM300 Azure routing issues?

Hello,

I second @jperry1 recommendation of a single VR, unless there is an absolutle compelling reason to use multiple. Especially for a small shop such as yours. The simpler it is setup the easier it will be on you to manage it.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!