This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About rbottiglieri
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About rbottiglieri
08-19-2023
6Posts
1Like
0Solutions
Aug 19, 2023Last Visited
User
Activity
User
Profile
Latest posts by rbottiglieri
| Subject | Views | Posted |
|---|---|---|
| 3139 | 12-01-2021 06:27 AM | |
| 5539 | 08-10-2020 07:40 PM | |
| 5676 | 08-10-2020 01:38 PM | |
| 3869 | 08-05-2020 02:26 PM | |
| 3905 | 08-05-2020 01:33 PM | |
| 4067 | 08-04-2020 03:04 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 08-10-2020 07:40 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 08-04-2020 02:41 PM |
| Date Last Visited | 08-19-2023 12:39 PM |
| Posts | 6 |
| Total Likes Received | 1 |
12-01-2021
06:27 AM
I haven't looked at this in a little while, but I don't think a VPN between on-prem PA to Azure virtual PA is a supported or recommended solution due to internal Azure routing practices. The supported solution is to setup an always on VPN between your on-prem PA and a virtual network gateway in Azure. I have that setup, and it's been solid for me.
... View more
08-10-2020
07:40 PM
1 Kudo
@claudec, bingo! Indeed, I did have asymmetric routing back to the VM host. Even though the traffic destined for the NYC campus went out the trust interface and traversed the ExpressRoute connection, return traffic was not routing back through the trust interface of the firewall, causing the applications to break. As you mentioned, the solution is to create a route on the GatewaySubnet. The idea that ping tests and traceroutes were both working - even from the trust interface of the campus firewall - was driving me nuts! Anyway, I created a route table, associated it with the GatewaySubnet, and I created a rule that basically forced all traffic destined for my test server subnet to route back through the trust interface of the firewall. Once I added that, everything worked. Thanks for the tip! Rich
... View more
08-10-2020
01:38 PM
Quick question for the community. I have setup and configured the Palo Alto VM series in Azure. Along with the management interface, the VM has “trust” and “untrust” interfaces. I have basically copied the rules over from our office Palo Alto devices, and my test VM is working great through the Palo Alto VM. However, I’m having a problem that I was wondering if you could help me out with. Here are the details: * The test VM is on a new subnet, but part of the same VNET. * I have a static route in the test subnet (in Azure) that basically forces all traffic destined for 0.0.0.0/0 to the trust interface on the Palo Alto VM. * The idea is for the Palo Alto VM to make all the traffic and routing decisions for IP addresses outside of the Azure VNETs. Addresses within the Azure VNET are handled automatically by Azure VNET routing. * No issues at all with websites and web services from the test VM. The Palo Alto VM is processing rules correctly from Trust to Untrust zones. * The issue is connecting back to resources on our corporate campus. * We have ExpressRoute between our office and Azure, and routes are advertised back to the office via BGP. * For other VMs and subnets in Azure (that are not going through the Palo Alto Azure VM), I have no problem connecting back to manage the office firewall or other services hosted out of the office. * I’ve setup a static route in the Palo Alto VM to route traffic intended for the office Palo Alto management IP addresses back through the Trust interface. * This should send the traffic back through Trust and through the VNET’s routing, which includes the route back to the office via ExpressRoute. * When I try to manage the NYC firewall, the connection times out. The office firewall log shows "incomplete" for application type. So, the traffic appears to be flowing from the Azure Palo Alto VM to the office Palo Alto, but I can't use it. * However, I can ping and traceroute back to the office firewall management interface. * I can also successfully ping and traceroute the test VM in Azure using the office's trust interface via the CLI. * I’m having the same problem with a service provider’s system that terminates out of our office. I can ping their services’ IP addresses, but I cannot connect to them using the web browser or application. I must be missing something relatively simple, but I’m not sure what it is. Since I’m routing from Palo Alto (VM) to physical Palo Alto (NYC), do I need some kind of rule on the PA in Azure to allow traffic back in? Any ideas? Thanks!
... View more
08-05-2020
02:26 PM
@RamprakashRT, I did some digging, and I think the issue is that Azure does not permit you to ping the default gateway in an Azure VNET. Check out this doc: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq Adding the public IP to the interface, I can now ping public internet addresses. However, traceroute does not work, and by the looks of things, it is not supposed to work. Thanks for the help. Rich
... View more
08-05-2020
01:33 PM
Hi @RamprakashRT, thanks for this. I had actually just tried that before your post. I originally had a secondary IP address configured on the interface with a public IP address, but that didn't work. So, I scrapped that, and put the public IP address right on the interface. I can now ping, but tracert isn't working. Do I need to modify the NSG to allow all inbound internet traffic on the untrust interface? Thanks. Rich
... View more
08-04-2020
03:04 PM
Just setup a new VM-100 device in Azure. SSL decryption and security policies are in place. My test client PC can browse the web, and all of the policies seem to work. However, I cannot ping or tracert to any public website (e.g., www.apple.com). The DNS resolution works, I see that the ping traffic is allowed in the monitor tab, and I disabled SSL decryption as a test, but it still didn't work. I'm sure that it's something simple, but anyone have any ideas? Thanks! Rich
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-19-2023
12:39 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks