10-16-2022 06:27 AM
Hello Everyone,
I have deployed PA-VM in GCP. In that we have configured 3 VPCs (MGMT, Untrust & Trust).
In the Trust VPC we have created Windows Server 2016, in PA we created D-NAT & Security policy.
In GCP, Under Trust VPC Firewall Ingress traffic is allowed & Route is forwarded to PA-VM instance with 500 priority.
For Untrust VPC - Firewall Ingress traffic is allowed & Route is pointing toward default internet gateway.
What I am missing here ?
10-16-2022 10:56 PM
it sound Great.
could you generate traffic from your Windows 2016 ? does it ping the PA trust interface ? do you see the traffic in the monitor traffic ? have you overide the intrazone default and teh intezone-default rulese in security policy to log fist packet and last.
if the nat hit coult in nat or the or security rules count don't increase that mind that there is something not working in the trust vpc config in GCP.
I remember in AWS that you have to disable the change source destination check on the Network interface when you set the ip in static on a network interface. I d'ont remeber if you have to do something like that in GCP.
10-16-2022 03:00 PM
have you look to your rooting table ? I assume that your wan and internal interface are in DHCP mode ?
10-16-2022 07:29 PM
Hi Fcrofdir,
Both interfaces is configured on static.
10-16-2022 07:38 PM
does you create on the palo alto in trust vpc a route return to go back to the virtual router of the trust vpc.
do you create a default route in the untrust to send traffic to the gcp virtual router of the untruste VPC.
did you capture packet il the logs of the palo when you try to send traffic to internet from your winodws server 2016. on the nat screenshot the hit count is "0" meening that no traffic hiting this rules. or maybe no traffic hitting the firewall VM
10-16-2022 09:53 PM
Hi Fcrofdir,
I performed the below steps in GCP:-
1. Created 3 VPCs (MGMT, TRUST & UNTRUST).
2. Create ingress/egress Firewall rules on the vpc networks.
3. Modify the default route for the Trust network to use the Palo Alto instance.
4. Created Trust VPC Network route in Untrust VPC to use PA instance.
In PA performed below steps:-
1. Assigned Static IP Address Interfaces.
2. Created default route.
3. Created Source NAT & Security Policy for Trust VPC Network.
4. Created DNAT & Security Policy for Windows Server.
Kindly let me know which step I missed out.
10-16-2022 10:56 PM
it sound Great.
could you generate traffic from your Windows 2016 ? does it ping the PA trust interface ? do you see the traffic in the monitor traffic ? have you overide the intrazone default and teh intezone-default rulese in security policy to log fist packet and last.
if the nat hit coult in nat or the or security rules count don't increase that mind that there is something not working in the trust vpc config in GCP.
I remember in AWS that you have to disable the change source destination check on the Network interface when you set the ip in static on a network interface. I d'ont remeber if you have to do something like that in GCP.
10-19-2022 02:07 AM
Hi Fcrofdir,
Thanks for the hint.
While troubleshooting we found, it was hitting default intrazone rule which was blocked.
Than we changed in the custom rule and it started working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
