Public Web Server, Secondary IP Address, and Loopback Interface

Reply
Highlighted
L0 Member

Public Web Server, Secondary IP Address, and Loopback Interface

We have a VM-100 running 9.0.3.xfr to do some testing.  This is currently setup on AWS, and we are trying to support traffic for multiple public web server's being sent through the firewall.  There are the three standard zones and network interfaces (Untrusted, Trusted, and Management).  The Untrusted has a public IP (Elastic IP) and internal subnet IP (AWS does the NAT for this).  
 
A secondary IP address was created (different public IP NAT'd by AWS to different internal subnet IP) for the first public web server, and attached to the same network interface as the Untrusted.  Additionally, this secondary IP address has to be NAT'd using the firewall's NAT Policy to direct it to the internal web server IP.
 
This knowledgebase article (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0) suggested the preferred way was to setup the secondary IP as a loopback, apply a different security zone, and then security policies could be written using this additional security zone assigned via the loopback interface.  This was done with an additional security zone called Public Web. 
 
The only way I can get it to work is with a NAT policy configured in a way that changes the security zone from Public Web to Untrusted (which happens first).  Then all of the Security Policy rules cannot use the Public Web security zone, and can only use the Untrusted zone.  
 
Is there a way to do what is described in the article?  Am I missing something from the article?
Highlighted
L0 Member

Re: Public Web Server, Secondary IP Address, and Loopback Interface

So I spoke with support, and received further information.  The general summation is that the loopback interfaces work differently on the VM series (virtual firewalls) as compared to hardware firewalls.  The article was written for a hardware firewall.  

 

Support explained that the loopback interface on the VM series in a cloud environment does not handle packets in the same way.  The cloud provider infrastructure knows nothing of the loopback interface nor it's routing.  Using a loopback interface in the VM series does not allow you to change the security zone as described in the article.  

 

Support Summary:

This is specifically written for a hardware firewall which can perform an internal route lookup to find which interface an IP range is attached to, and leverage proxy arp to respond to ARP requests for IP addresses configured in NAT on the interface. This technique makes the configured IP address available to outside hosts trying to reach it while not being physically configured on the interface.

VM has two part of the interface/zone configuration, one on Firewall itself and corresponding interface association in AWS side. If you just configure a loopback, AWS does not know about this interface, hence the route lookup may fail.

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!