Inbound Inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Inbound Inspection

L0 Member



I have a question regarding inbound inspection in centralised model using Palo Alto Cloud NGFW, which was described here.

I'm focusing on the Figure 11: Cloud NGFW is deployed to protect inbound traffic to a VPC (Single AZ).


In this architecture, the Application Load Balancer was deployed in central Security Account. My assumption is that you can bind multiple domains to the same ALB and route traffic to different internal web-server (i.e.,, based on the host-header feature provided by the ALB. So far so good. 


But what if I want to provide inspection to services that are not working on HTTP/HTTPs protocols, i.e SFTP, FTP, SSH (and many others)? My first thought was to deploy another subnet in the central Security Account with Network Load Balancer. NLB works on layer 3/4, so it's not understanding host headers. Solution for that would be to create listeners on different ports and bind them to appropriate target groups, i.e:

- 222 NLB -> 22 (internal sftp-server-1)

- 223 NLB -> 22 (internal sftp-server-2).


Is this viable solution or is there any other way to handle multiple services via the same central NLB? 



  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!