ALB Health Checks -> Palo Alto -> ALB


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L2 Linker

ALB Health Checks -> Palo Alto -> ALB

Trying to get the Palo Altos to register as healthy. Can anyone provide some assistance on NAT policies, or configurations for getting TCP 80 checks from ALB to Palo Altos to ALB which sits in front of two App servers? 


ALB (Palo Altos)


Palo Altos

ALB (App Servers)

App Servers

Tags (3)
L7 Applicator

What are the health checks telling you about why they are failing ? (there should be a reason code that you can match to the documentation)


how ids your NAT configured currently?

Tom Piens -
Like my answer? check out my book!
L2 Linker

The health check failure states 'Request Timed Out'.


For NAT policies on the FW, I use Address Objects and map the FQDN of the ALBs. I can succesfully resolve the FQDN of the ALB which points to the Palo Altos, but I cannot resolve the ALB for the App Servers from the Palo Alto. They are in different VPCs. 


Palo1 Palo2   = Can resolve from FW


App1 App2  =  Can't resolve from FW


I think it has something to do with the Palo not being able to resolve the FQDN of the ALB positioned 'lower' in the stack sitting above the App Servers. 






Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!