- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-05-2024 11:23 AM - edited 03-05-2024 11:33 AM
Deployed a NGFW deployment for a customer. Using the VNet deployment, not VWAN. Everything is green (DG and Template) and healthy from the Panorama aspect.
We have created a UDR in a test application VNET, that points only a default route to the NGFW firewalls.
East/West connectivity works great. We are also able to access everything across the expressroute as well.
However, when we trying to ping or curl a website from the test application linux VM from above, we are not able too. The really weird thing is that we do not see ANY logs in Panorama for this connection. We overwrote the default rules, so we could log all traffic, allowed or denied. The Source NAT is configured in the Azure portal.
We deployed a second VNet, same issue. There are no NSGs applied to the VM NICS. UDR is good, confirmed via Network Watcher connection testing. I am at a complete loss on this.
Also, when opening a ticket on this, do we open it with Microsoft or Palo first (or just do both).
Edit: I confirmed outbound works directly from the VM when I change the UDR to Internet just to validate nothing is wrong with the VM.
03-12-2024 12:25 AM
Had an similair or same issue.
Traffic north sound started working after i placed an Networks security group on the NGFW SAAS Private subnet.
The NSG did need an inbound rule from virtualnetwork to Internet -> allow gave it an any any....
03-05-2024 10:52 PM
Hi @GraysonDenny ,
Can you access the local firewall and see if there are any logs? Have you assigned Azure Public IP Adresses on network interface of Palo-vm?
03-06-2024 09:48 AM
You can't access the firewalls locally, these are the SaaS firewalls, where "I" don't have access to them.
Public IP's are on them.
03-12-2024 12:25 AM
Had an similair or same issue.
Traffic north sound started working after i placed an Networks security group on the NGFW SAAS Private subnet.
The NSG did need an inbound rule from virtualnetwork to Internet -> allow gave it an any any....
03-19-2024 09:15 AM
This was indeed my issue. According to the Palo documentation, when the SaaS firewalls get deployed in the Azure Portal, the template is supposed to deploy the NSGs and attach them to the private subnet. However, that is not the case, Azure does not deploy the required NSGs like documentation suggests. So would be nice if someone from Palo could add that to the deployment guide, because no where does it mention that, that I can find.
05-08-2024 01:10 PM
Does anyone find the fix for this issue ? am having an similar issue where we are unable to access the internet via Cloud NGFW and no traffic seen on Panorama and no hits on the policy and SNAT
08-22-2024 06:44 AM - edited 08-22-2024 06:45 AM
@GraysonDenny
You mean to tell me that a NSG HAS to be deployed to the vnets in question in order for this to work? So there must be some qualification in the background in Azure itself in order to get this to work?
Doesn't traffic in Azure vnets just flow with a base NSG either way- Even if you didnt have a palo firewall installed, doesn't a vnet get a "default" nsg that azure just assigns in the background that is basically Any Any?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!