07-19-2021 11:32 PM
Hi Guys,
I am working on inbound (from the internet) flow on the VM-series untrust interface directly.
Set up -
VM-series FW - 3 interface -- Mgmt , Untrust , Trust
Client -> Internet GW -> EIP -> Firewall untrust interface - eth1/1 - > (SNAT - eth1/2 ; DNAT - Server private IP ) -> Server
In the monitor log, I can see the SNAT & DNAT taking place, traffic being allowed by Security rule.
But nothing is getting forwarded to the Server ... No packets are received on the server-side.
I have checked routes ,
default - 0.0.0.0/0 -- exit thru untrust -> IGW
private subnet - 10.x.x.x/24 -- thru Trust interface
Is this not bound to work with directly attaching EIP to untrust interface ?? The same set-up works fine , with an NLB (network load balancer) in front of VM-series fw (untrust interface)
Just to note - Already have opened TAC support case , with no luck -- too much of back and forth of info sharing , with zero constructive suggestions 😞
++ @jmeurer -- Any suggestions??
07-19-2021 11:43 PM
Hi @abhishah03,
sorry to hear that had no luck with our TAC team.
Your problem that you subscribes could have many reasons.
- Did you checked your Security Groups on all interfaces?
- Did you reviewed all route tables that the traffic get's forwarded correctly?
- Did you already asked AWS TAC if they can see the packets and could they explain you the reason why the packets didn't received the client host?
Regards,
Torsten
07-20-2021 12:01 AM
@tostern -- Please find the answer inline -
- Did you checked your Security Groups on all interfaces? -- SG is set, properly -- Hence the packets are reaching the PA firewall & logs reflecting the same on (AWS flow logs, PA monitor logs)
- Did you reviewed all route tables that the traffic get's forwarded correctly? -- Routes is straight forward --- 2 routes on virtual router --
default - 0.0.0.0/0 -- exit thru untrust -> IGW
private subnet - 10.x.x.x/24 -- thru Trust interface -- 10.0.0.1
- Did you already asked AWS TAC if they can see the packets and could they explain to you the reason why the packets didn't receive the client host? -- Reason needs to be explained from PA I believe, the packets are reaching the firewall, but not exiting from there :(.
07-20-2021 12:13 AM
so you can see that the packet is leaving the PAN FW but you didn't get any return traffic?
Did you checked the AWS route tables and are you sure you haven't any SG on the Server that can block the traffic?
Regards,
Torsten
07-20-2021 12:15 AM
Nope , I can see the packet only entering PA FW ...
07-20-2021 12:17 AM
@abhishah03 please send me a email tostern@paloaltonetworks.com then i want to have a deeper look into it.
Afterwards we can share here the solution of the problem.
Regards,
Torsten
07-20-2021 01:32 AM
I've just sent you email, with all the details. Pls check & suggest.
The interesting part is everything works fine with traffic ingress point changed to AWS NLB; rather than utilizing the EIP of untrust NIC.
07-20-2021 08:52 AM
Make sure your SNAT rule is set with the original packet set to the untrust private IP and not the EIP. AWS SNATs on the way in and firewall sees the packet after the EIP translation. Also, ensure both interfaces are added to the VR.
07-20-2021 11:34 AM
Yup , that's already in place.
Using Private (untrust) IP in NAT; also both interfaces are added in VR.
08-12-2021 07:15 PM
@abhishah03 what was the solution to your problem? Pls advise the steps so we can also benefit from it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
