AWS VM Series Gateway Load Balancers not working

Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS VM Series Gateway Load Balancers not working

L1 Bithead

Hi All

Has anyone else had a play with the GWLB on AWS?
I know it must be PAN-OS 10.0.2 or higher to work,
I have tested with multiple instances, 
As a bump in the wire it works fine. until you apply NAT, then it doesn't work at all for any traffic that is NAT'd. 
I have an open TAC for this, they are replicating the fault to work it out but surely this was all tested before it went public.

I also found overlay routing breaks traffic flow. its not documented anywhere that I could find but what I found was it processes the GENEVE traffic in the virtual router where without it, is just an in-return non routed flow. 


If you've tinkered with it and actually got inbound/outbound NAT and/or overlay routing to function, please let me know what you did. 

sadly the documentation just doesnt provide any decent clarity for this feature.

Also extremely disappointed they havent integrated this into version 9.1.
I am hopeful they will add it with 9.1.7 in a functional state as I am not planning to move my clients to 10.0 until the list of known issues is about 1/4 its current size.



Hi @tostern 

In my case my setup is with two interface Eth1/2 (Inside) & Eth1/3(Outside). So whenever I hit traffic from Outside server to Inside Server traffic logs should say Traffic from Out to In. which is not happening. 

I had a 3 interface setup working: GENEVE In/Out through eth1/1, then into eth1/2 -> NAT -> out of eth 1/3 to the ouetside.

Traffic would end up passing through the firewall twice.


On the other hand GWLB seems to break GP, so cannot run GP portal/Gateway on the outside interface.

My design is as per below. Let me know if any issue.


Server-1 (Outside)==>TGW==>SecurityVPC==>GWLBe==>EndPoint Service==>GWLB==>PaloAlto Outside interface (Eth1/1)==>Pa Processing==>PaloAlto Inside interface(Eth1/2)==> Server-2 (Inside).


I am not using GP instead traffic is ping/ssh. Whenever i process the traffic from Outside to Inside traffic logs saying traffic outside to outside hence not matching correct policy and not processing.  

At this time, GWLB deployments do not support routing outside of the GENEVE interface.  The traffic must hairpin back to the GWLB.


Also, there is a known issue with GP not working on a GWLB enabled firewall that will be resolved in a future release.


Thanks for letting me know that it's a known issue with GP, any indication on when to expect a fix?




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!