04-10-2025 11:47 PM
Hi, we have deployed Palo-alto firewalls on Azure and a Standard Internal Load Balancer with single front-end IP and single backend pool, does LB maintain session state if -
(1) communication is sourced from Azure VNET destined to On-premise ?
(2) communication is sourced from On-premise destined to Azure VNET ?
We don't have a Virtual Network Gateway deployed instead we have a Cisco vMX SDWAN in Azure VNET that extend the connectivity to on-premise, so for on-premise communication we are routing all traffic (after firewall inspection) to Cisco vMX SDWAN which further forwards the traffic to on-premise.
Currently all traffic between the Azure VNETs are routing through Azure ILB are working and no issues have been reported so far but traffic which sends outside to Azure for on-prem where we are observing asymmetric of routing causing drops on firewall intermittently specifically we observed issues for SNMP and UDP protocols so would like to understand whether this type of design supports by Palo Alto on Azure using Azure ILB
04-16-2025 07:58 AM
For inbound traffic like a web server you need a source and destination NAT. The internal LB is bypassed. For traffic initiated outbound the default gateway needs to be the internal LB. Most likely you are having a NAT problem causing asymmetrical routing. It bit me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
