How to secure outbound traffic from Azure?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to secure outbound traffic from Azure?

L1 Bithead

This question might sound stupid but I'm banging my head against the wall trying to figure out how to make this work and I cannot find any documentation anywhere on this website that answers this (simple) question.

 

I'm trying to setup a VM Series Palo Alto firewall in Azure, to secure outbound (not inbound) traffic from my Azure virtual machines to the internet.

 

I've already deployed the VM Series Firewall according to these instructions here - Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) (paloaltonetworks.com) - right through to the end.

 

I added a load balancer that sits in front of the virtual machine's trust interface, and set a route in the Route Table for the subnets my virtual machines are running on to direct 0.0.0.0/0 traffic to this load balancer's front end. Everything I've read to date says this how to get outbound traffic to go through the firewall.

 

But when I do this, all my connectivity just breaks. I can't make any outbound connections at all. I added a basic rule to whitelist/allow all traffic in the firewall just to test that the traffic is getting forwarded correctly but still, nothing works. I tried looking at the firewall logs but my outbound requests aren't even showing up as going to the firewall at all (logs are completely empty). Is there some additional configuration I'm supposed to do in PaloAlto PAnOS interface to make this work, and if so, what the heck is it? I can't find any documentation anywhere that says what I'm actually supposed to do.

11 REPLIES 11

L4 Transporter

@PepsiEComm  Looks like your load balancer is not operational. Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.



Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.

I don't really understand this - there needs be a route configured to 168.63.129.16/32 on palo alto side? or in the load balancer in Azure? If it's on a separate VR how would I get the original VR to work? I'm very confused.

L1 Bithead

I think he was suggesting that traffic was not being forwarded by your internal Load Balancer (LB) to the firewall(s). The LB  should be configured with the Palo-Alto's in a backend pool and sending traffic to them if they are 'up' which is done by the LB sending a health probe on port 22. Check the insights/metrics on the LB to see if health probe status is 100%. If not investigate what is blocking the probe.

Forgot to say that the 'source' of the health probes is 168.63.129.16/32. Check your NSG's on your palo-alto nics and if applicable your subnets to see if this allowed, best practice is to use the source tag 'AzureLoadBalancer' instead of the IP for your NSG rule

L1 Bithead

L1 Bithead

The load balancer is set up with port 22 as the health check, the IP address is correct and everything is in the same virtual network, there is no NSG on the palo alto interfaces, yet the health probe is coming back unhealthy.

 

Is there any configuration I have to do inside palo alto VM to make it accept connections? Is there some resource I can use to figure this out other than having to read a 66 page manual??

That page talks about inbound traffic, my use case for paloalto is to have firewall for outbound traffic only.

Do you have two VR's?

 

In summary this is how it works

 

VR-INT

point route for 168.63.129.16 towards internal interface

point route for internal networks of vnet/subnets towards internal interface

point default route to VR-EXT

 

VR-EXT

point default route to external interface

point internal routes to VR-INT

If hosting webservers point route to 168.63.129.16 towards external interface for use by external load balancers, if using load balancer on external and have 2 Palos

 

Assign public IP in Azure to external interface or use NAT gateway

Setup NAT on Palos

Setup UDR's correctly

 

Hi @PepsiEComm ,

 

I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure

 

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

 

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

 

 


@aleksandar.astardzhiev wrote:

Hi @PepsiEComm ,

 

I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure

 

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

 

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.

 

If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:

- You need to configure interface management profile to allow FW dataplane interface to response to LB probes

- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction

 


I'm using a load balancer because that's what the guide said under Step 8:

  • Gateway
    —Deploy a third-party load balancer in front of the UnTrust zone.

Is there a simpler way to do this if you only have one firewall instance and have no need for load balancing or HA?

 

I just tried setting the Azure route table to skip the load balancer step entirely, to just send traffic directly to the IP address of the Trust interface as well as trying it again to go direct to the IP address of the Untrust interface and there's still the same problem, nothing routes and nothing shows up in the traffic logs.

 

Is there a quick start guide like this one - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-o... - for this topic? I'm not trying to do rocket science here, just literally trying to get an Azure virtual machine to use the firewall for outbound traffic.

Hi Pepsi EComm,

I have the same problem as you, I have configured the route table, I have configured everything related to my palo alto. But I have no way to make the outgoing traffic from my VMs go through the Firewall.

You managed to solve this problem.

Thank you very much in advance.

Best regards

  • 6798 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!