For details on cookie usage on our site, read our Privacy Policy
AWS VM Series Gateway Load Balancers not working
- LIVEcommunity
- Discussions
- Network Security
- VM-Series in the Public Cloud
- AWS VM Series Gateway Load Balancers not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
AWS VM Series Gateway Load Balancers not working
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2020 09:23 PM
Hi All
Has anyone else had a play with the GWLB on AWS?
I know it must be PAN-OS 10.0.2 or higher to work,
I have tested with multiple instances,
As a bump in the wire it works fine. until you apply NAT, then it doesn't work at all for any traffic that is NAT'd.
I have an open TAC for this, they are replicating the fault to work it out but surely this was all tested before it went public.
I also found overlay routing breaks traffic flow. its not documented anywhere that I could find but what I found was it processes the GENEVE traffic in the virtual router where without it, is just an in-return non routed flow.
If you've tinkered with it and actually got inbound/outbound NAT and/or overlay routing to function, please let me know what you did.
sadly the documentation just doesnt provide any decent clarity for this feature.
Also extremely disappointed they havent integrated this into version 9.1.
I am hopeful they will add it with 9.1.7 in a functional state as I am not planning to move my clients to 10.0 until the list of known issues is about 1/4 its current size.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-05-2021 04:46 AM
Hi @tostern
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-07-2021 11:19 AM
I had a 3 interface setup working: GENEVE In/Out through eth1/1, then into eth1/2 -> NAT -> out of eth 1/3 to the ouetside.
Traffic would end up passing through the firewall twice.
On the other hand GWLB seems to break GP, so cannot run GP portal/Gateway on the outside interface.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-08-2021 12:22 AM
My design is as per below. Let me know if any issue.
Server-1 (Outside)==>TGW==>SecurityVPC==>GWLBe==>EndPoint Service==>GWLB==>PaloAlto Outside interface (Eth1/1)==>Pa Processing==>PaloAlto Inside interface(Eth1/2)==> Server-2 (Inside).
I am not using GP instead traffic is ping/ssh. Whenever i process the traffic from Outside to Inside traffic logs saying traffic outside to outside hence not matching correct policy and not processing.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-08-2021 08:07 AM
At this time, GWLB deployments do not support routing outside of the GENEVE interface. The traffic must hairpin back to the GWLB.
Also, there is a known issue with GP not working on a GWLB enabled firewall that will be resolved in a future release.
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-08-2021 10:05 AM
Thanks for letting me know that it's a known issue with GP, any indication on when to expect a fix?
Thanks
- GP installation issues in GlobalProtect Discussions
- Gateway certificate error when switching to SAML authentication in GlobalProtect Discussions
- Azure SAML double windows to select account in GlobalProtect Discussions
- NGFW with azure gateway load balancer in VM-Series in the Public Cloud
- Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
