https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-and-azure-application-gateway-template/start-using-the-vm-series--azure-application-gateway-template/sample-configuration-file Address objects —Two address objects, firewall-untrust-IP and internal-load-balancer-IP , which you will need to modify to match the IP addresses in your setup. You need to modify these address objects to use the private IP addresses assigned to eth1-VM-Series0 and eth1-VM-Series1 on the Azure portal. above statement says that we should set firewall-untrust-IP and internal-load-balancer-IP to eth1 interface of VM0 and VM1. I am wondering if this is correct. internal-load-balancer-IP should be the IP address of the internal load balancer not the eth1 interface IP for VM1.
... View more
I am implementing this scenrio https://github.com/PaloAltoNetworks/azure-applicationgateway Here is the flow of traffic internet->App Gateway(public ip)->VM Series-> ILB->Web Servers(4) I only have 1 firewall appliance for now. Azure application gateway connects with Palo Alto VM Series over port 80. Application gateway keeps on thinking that firewall VM is unhealthy. There is no custom probe configured in the template above. So it expects HTTP 200 but is not getting it. AppGateway only supports HTTP and HTTPS in the backend. Perhaps this error is due to missing configuration in the firewall. What type of configuration do I need to do in the firewall to return valid response over port 80 so it appears healthy to app gateway. I have define UnTrust and Trust zones I have configured the Interfaces I have configured NAT with a static route. I created a linux VM in the same subnet as the internal load balancer and web servers. I can curl successfully to the website and get HTTP 200. I have verified that VM Series firewall VM does allow What needs to happen in the firewall VM it it respond with http 200 to the health checks from application gateway? Thanks
... View more
We have an existing environment where Palo Alto VM Series was deployed by somebody who is no longer at the company. I was told that it has never worked. Primary purpose of the firewall is to secure inbound web traffic. Current configuration is: AppGateway->LB->2 VM Series->ILB->Web Servers VM Series VM's had 3 Network interfaces. I can log into the management UI and see no configuration was done. I noticed that AppGateway did not have a HTTPS listener so it only accepts HTTP traffic. None of the subnets have any UDR's defined. Our requirements can be met by the template published here: https://github.com/PaloAltoNetworks/azure-applicationgateway This template eliminates Public LB in front of VM Series so traffic flows like this: internet->AppGateway->2 VM Series->ILB->Web Servers What is the benefit of having public LB between AppGateway and the Firewall VM's Even this template shows Application Gateway without HTTPS listener. I am wondering why this is the case? Thanks
... View more