cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L1 Bithead

I do not know if you are still looking for a resolution, but I have placed answers to some of your questions below: 

 

The public load balancer forwards the traffic to the VM-Series.  The load balancer itself is comprised of 3 major components.

  1. Frontend IP Address. 
    • This is the address that is assigned to the public load balancer. This would be 140.242.125.50 in your example. 
  2. Backend Pool
    • This is the "target" or "destination" of the load balancer.  This would be the VM-Series untrust interfaces.   
  3. Load Balancing Rule
    • The load balancing rule assigns a frontend address to a backend pool.  You can enter the port that you want to allow (i.e. TCP/80).

 

The load balancer is just forwarding traffic from 140.242.125.50:80 to the VM-Series untrust interfaces (private IP).  When the VM-Series receives the request, the firewall DNATs the traffic to the internal address in Azure.  We must also apply a dynami SNAT on the policy.  This is required because the public load balancer does not maintain flow symmetry.  The SNAT guarantee's synchronous responses for a given request.

 

This post may also answer your question on how to NAT inbound traffic from a public LB: https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-active-gateways-in-azure-a...

 

Who rated this post