ALB Health Checks -> Palo Alto -> ALB

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ALB Health Checks -> Palo Alto -> ALB

L2 Linker

Trying to get the Palo Altos to register as healthy. Can anyone provide some assistance on NAT policies, or configurations for getting TCP 80 checks from ALB to Palo Altos to ALB which sits in front of two App servers? 

 

ALB (Palo Altos)

   |

Palo Altos

   |
ALB (App Servers)

   | 
App Servers

2 REPLIES 2

Cyber Elite
Cyber Elite

What are the health checks telling you about why they are failing ? (there should be a reason code that you can match to the documentation)

 

how ids your NAT configured currently?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

The health check failure states 'Request Timed Out'.

 

For NAT policies on the FW, I use Address Objects and map the FQDN of the ALBs. I can succesfully resolve the FQDN of the ALB which points to the Palo Altos, but I cannot resolve the ALB for the App Servers from the Palo Alto. They are in different VPCs. 

 

      ALB
Palo1 Palo2   = Can resolve from FW

 

     ALB
App1 App2  =  Can't resolve from FW

 

I think it has something to do with the Palo not being able to resolve the FQDN of the ALB positioned 'lower' in the stack sitting above the App Servers. 

 

 

 

 

 

  • 2558 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!