Public Web Server, Secondary IP Address, and Loopback Interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Public Web Server, Secondary IP Address, and Loopback Interface

L0 Member
We have a VM-100 running 9.0.3.xfr to do some testing.  This is currently setup on AWS, and we are trying to support traffic for multiple public web server's being sent through the firewall.  There are the three standard zones and network interfaces (Untrusted, Trusted, and Management).  The Untrusted has a public IP (Elastic IP) and internal subnet IP (AWS does the NAT for this).  
 
A secondary IP address was created (different public IP NAT'd by AWS to different internal subnet IP) for the first public web server, and attached to the same network interface as the Untrusted.  Additionally, this secondary IP address has to be NAT'd using the firewall's NAT Policy to direct it to the internal web server IP.
 
This knowledgebase article (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0) suggested the preferred way was to setup the secondary IP as a loopback, apply a different security zone, and then security policies could be written using this additional security zone assigned via the loopback interface.  This was done with an additional security zone called Public Web. 
 
The only way I can get it to work is with a NAT policy configured in a way that changes the security zone from Public Web to Untrusted (which happens first).  Then all of the Security Policy rules cannot use the Public Web security zone, and can only use the Untrusted zone.  
 
Is there a way to do what is described in the article?  Am I missing something from the article?
2 REPLIES 2

L0 Member

So I spoke with support, and received further information.  The general summation is that the loopback interfaces work differently on the VM series (virtual firewalls) as compared to hardware firewalls.  The article was written for a hardware firewall.  

 

Support explained that the loopback interface on the VM series in a cloud environment does not handle packets in the same way.  The cloud provider infrastructure knows nothing of the loopback interface nor it's routing.  Using a loopback interface in the VM series does not allow you to change the security zone as described in the article.  

 

Support Summary:

This is specifically written for a hardware firewall which can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.

VM has two part of the interface/zone configuration, one on Firewall itself and corresponding interface association in AWS side. If you just configure a loopback, AWS does not know about this interface, hence the route lookup may fail.

 

 

 

L0 Member

so, are you saying the solution is to:

1. configure a Pub. <-> Private IP mapping in AWS on its External interface.

2. on PA VM configure Lo. in same zone as where the Ext. interface (or Outside in terms of FW) is defined

3. Create a Sec. policy for access to this Lo. as per requirement.

 

is this the solution then?

  • 3434 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!