I have setup a classic internal ELB with traffic forwarded to 2 AD FS severs. Internally, by creating a CNAME entry with the FQDN for the ELB, the load balancer forwards to each of the AD FS servers as it should. I have the necessary NAT and security policies as well as policy based forwarding rule as this is the 2nd public interface with forwarding traffic. Public traffic gets forwarded fine to the ELB, as long as the IP address I enter in the destination translation of the NAT policy is set explicitly is current. All of the other references to the ELB can be a FQDN, but since this parameter needs to be an IP, this won't work very long without manually changing this IP as the private IP of the ELB changes frequently. I don't want to change to an external ELB as that would require I use seperate external interfaces on the Palo VM-300, which are precious to us. I don't want to use a 3rd party load balancer as this would complicate monitoring and may not work if we want to implement auto-scaling for this or other projects in the future. The online documentation for ELB and the Palo virutal appliance seem to cover the use case of an external ELB in front of 2 or more virtual appliances, but it isn't clear and doesn't seem to provide relevant information regarding my use case. I had a session with Palo support where I was told that the destination translation needs to be an IP so what I was trying to do wouldn't work, but I wasn't clear whether or not what I want to do at a high level is possible using some other method that I am not aware of. This seems like a major oversight, especially since there is documentation available to use ELB with the Palo VM-300 in another usage scenario. Does anyone have any insight to share?
... View more