Azure - no traffic to untrust public ip

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure - no traffic to untrust public ip

L1 Bithead

I've followed the instructions here and can't get traffic to my untrust public IP: https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/set-up-the-vm-series...

 

I'm using the Azure BYOL template (version 8.1) and can see my PA interfaces getting the proper azure NIC IPs as the document describes. I then setup a public IP for that untrust NIC and tried creating a GlobalProtect gateway and portal, but cannot get any traffic to the public IP to view the GP portal. I've tried just about everything I can think of, even making sure "firewalls" are all basically wide open. 

 

Basically, I'm just trying to setup a basic VPN from internet to an existing VNET, I don't understand the need for trust and untrust. I basically just want one external IP to allow users to connect to that then assigns an IP and routes into my Azure VNET. Any help appreciated.

1 accepted solution

Accepted Solutions

Try this in the meantime

 

1. Go to the interface, go to the DHCP options and uncheck the option to automatically add the default gateway

2. Do this for both Trust and untrust

3. Go into the virtual route and statically add the default gateway for both the trust and untrust interfaces. They should point to .1 of the subnet that is assigned to the interface via DHCP

View solution in original post

17 REPLIES 17

L5 Sessionator

Can you make sure IP forwarding is enabled on Eth1 which would be the Untrust interface on the firewall in Azure?

 

IPForwarding.PNG

It is enabled. I don't think I set those, so I believe they were set by the ARM template. Both trust and untrust interfaces have IP forwarding enabled.

 

I think the issue is NAT related. I can see the expected packets in the "drop" packet capture log.

Please provide a link to that template from GitHub or where you received this template?

To be honest, I'm not sure exactly which template is used. When selecting the VM-Series Next Generation Firewall (BYOL) in the marketplace, it only says this: 

 

Documentation and sample ARM templates: http://azure.paloaltonetworks.com

 

However, not much is mentioned on that site.

 

I would imagine the templates are here. However, I'm not sure exactly which one is used.

 

https://github.com/PaloAltoNetworks/azure

 

I do see that this one has IP forwarding enabled: https://github.com/PaloAltoNetworks/azure/blob/master/vmseries-test-drive/main-template.json#L320

The link you sent me takes me to the Test Drive registration page? Is this a test drive? If so which one did you register for specifically? I'm not familiar with the Test Drives but the more I know about it I can direct you to the appropriate party. 

 

Did you launch via azure deploy button on github? How was this BYOL template launched? If it is a test drive does it list how to get assistance within the test drive?

Try this in the meantime

 

1. Go to the interface, go to the DHCP options and uncheck the option to automatically add the default gateway

2. Do this for both Trust and untrust

3. Go into the virtual route and statically add the default gateway for both the trust and untrust interfaces. They should point to .1 of the subnet that is assigned to the interface via DHCP

Sorry for the confusion. I used the Azure marketplace version of the VM series, not the "deploy" button from github. I'm assuming they're similar. I'm not sure of the actual template that was used.

This was it, thank you! I knew something seemed wrong with all of this. The documentation needs to reflect the fact that the untrust and trust that obtain the IPs via DHCP don't have a default gateway.

 

The instructions do mention to unckeck the option to add the default gateway, but even checking those don't work (one of my attempts to get things working was to try that, to no avail).

 

For future generations (in case the original document isn't updated).

 

Go into the Palo Alto web interface --> Network --> Virtual Routers --> default

 

Static Routes --> add:

 

Destination: 0.0.0.0/0

Interface: ethernet1/1

Next Hop: IP Address and specify the .1 like @jperry1 mentioned (typically you have .4 assigned to the VM by Azure).

(e.g. machine got 10.2.1.4, use 10.2.1.1 as the next hop).

 

---------

 

Now to figure out how to get a GlobalProtect agent installer so that when someone tries to click the download in the portal, they don't get "errors.txt" to download...

 

 

Thanks for the update. Unless we go into the interface and check that we want to receive default gateway interfaces then it will not provide them. Only the management interface will receive them by default. 

That being said that is usually part of the config process on the PAN for interfaces to receive DHCP. 

There may be a weird occurance where the interfaces receive a 168 for the default gateway instead of a the default gateway of .1. I have seen that before in which I have to manually add the route in the virtual router.  But you should be able to check DHCP option to add the default route and for the most part that will work. Thanks again and take care. 

I tried the checkbox a few times and it didn't work. Not sure why though.

The documentation is updated to show you how to add a default route in Step 7-5:  https://www.paloaltonetworks.com/documentation/81/virtualization/virtualization/set-up-the-vm-series...

I'm having a similar issue. For the untrust (internet facing) interface, shouldnt it be using the assigned public ip and have x.x.x.1 (public IP) set as its next hop static route?

 

EDIT: looking through the palo deployment guide, its says the following regarding the untrust interface:

On the IPv4 tab, select DHCP Client.  if you plan to assign only one IP address on the interface—the firewall will automatically acquire the private IP address assigned in the ARM template. If you plan to assign more than one IP address, select Static

 and manually enter the primary and secondary IP addresses assigned to the interface on the Azure portal.

 

Why would this specify 'private' ip address? Being the internet interface, shouldnt it be using the public assigned address?

It turns out that all of the public to private address translation is done by Azure. The firewall need only be configured with private ip addressing and routing.

L0 Member

Thanks for the update. But you should be able to check DHCP option to add the default route and for the most part that will work. Tyson vs Jones Live Thanks again and take care.

  • 1 accepted solution
  • 20020 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!