Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Azure NGFW VNet Deployment - No Outbound Internet Access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Azure NGFW VNet Deployment - No Outbound Internet Access

L1 Bithead

Deployed a NGFW deployment for a customer. Using the VNet deployment, not VWAN. Everything is green (DG and Template) and healthy from the Panorama aspect. 

We have created a UDR in a test application VNET, that points only a default route to the NGFW firewalls.

East/West connectivity works great. We are also able to access everything across the expressroute as well.

However, when we trying to ping or curl a website from the test application linux VM from above, we are not able too. The really weird thing is that we do not see ANY logs in Panorama for this connection. We overwrote the default rules, so we could log all traffic, allowed or denied. The Source NAT is configured in the Azure portal.

We deployed a second VNet, same issue. There are no NSGs applied to the VM NICS. UDR is good, confirmed via Network Watcher connection testing. I am at a complete loss on this.

Also, when opening a ticket on this, do we open it with Microsoft or Palo first (or just do both).

Edit: I confirmed outbound works directly from the VM when I change the UDR to Internet just to validate nothing is wrong with the VM.

1 accepted solution

Accepted Solutions

L0 Member

Had an similair or same issue.

 

Traffic north sound started working after i placed an Networks security group on the NGFW SAAS Private subnet.

The NSG did need an inbound rule from virtualnetwork to Internet -> allow gave it an any any....

View solution in original post

6 REPLIES 6

Community Team Member

Hi @GraysonDenny ,

 

Can you access the local firewall and see if there are any logs? Have you assigned Azure Public IP Adresses on network interface of Palo-vm? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

You can't access the firewalls locally, these are the SaaS firewalls, where "I" don't have access to them.

Public IP's are on them.

L0 Member

Had an similair or same issue.

 

Traffic north sound started working after i placed an Networks security group on the NGFW SAAS Private subnet.

The NSG did need an inbound rule from virtualnetwork to Internet -> allow gave it an any any....

L1 Bithead

This was indeed my issue. According to the Palo documentation, when the SaaS firewalls get deployed in the Azure Portal, the template is supposed to deploy the NSGs and attach them to the private subnet. However, that is not the case, Azure does not deploy the required NSGs like documentation suggests. So would be nice if someone from Palo could add that to the deployment guide, because no where does it mention that, that I can find.

L0 Member

Does anyone find the fix for this issue ? am having an similar issue where we are unable to access the internet via Cloud NGFW and no traffic seen on Panorama and no hits on the policy and SNAT 

@GraysonDenny 

You mean to tell me that a NSG HAS to be deployed to the vnets in question in order for this to work?    So there must be some qualification in the background in Azure itself in order to get this to work?   

Doesn't traffic in Azure vnets just flow with a base NSG either way- Even if you didnt have a palo firewall installed, doesn't a vnet get a "default" nsg that azure just assigns in the background that is basically Any Any?

  • 1 accepted solution
  • 4010 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!