- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-15-2022 01:04 PM
This question might sound stupid but I'm banging my head against the wall trying to figure out how to make this work and I cannot find any documentation anywhere on this website that answers this (simple) question.
I'm trying to setup a VM Series Palo Alto firewall in Azure, to secure outbound (not inbound) traffic from my Azure virtual machines to the internet.
I've already deployed the VM Series Firewall according to these instructions here - Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) (paloaltonetworks.com) - right through to the end.
I added a load balancer that sits in front of the virtual machine's trust interface, and set a route in the Route Table for the subnets my virtual machines are running on to direct 0.0.0.0/0 traffic to this load balancer's front end. Everything I've read to date says this how to get outbound traffic to go through the firewall.
But when I do this, all my connectivity just breaks. I can't make any outbound connections at all. I added a basic rule to whitelist/allow all traffic in the firewall just to test that the traffic is getting forwarded correctly but still, nothing works. I tried looking at the firewall logs but my outbound requests aren't even showing up as going to the firewall at all (logs are completely empty). Is there some additional configuration I'm supposed to do in PaloAlto PAnOS interface to make this work, and if so, what the heck is it? I can't find any documentation anywhere that says what I'm actually supposed to do.
09-16-2022 12:31 PM
@PepsiEComm Looks like your load balancer is not operational. Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.
10-03-2022 09:41 AM
Have you configured routes for 168.63.129.16/32 on a separate VR pointing towards internal interface or to the gateway of loadbalancer subnet *.*.*.1 , 168.63.129.16 is used by Azure LB and firewall should allow it. Also LB will be using port 22 for health checks.
I don't really understand this - there needs be a route configured to 168.63.129.16/32 on palo alto side? or in the load balancer in Azure? If it's on a separate VR how would I get the original VR to work? I'm very confused.
10-04-2022 06:53 AM
I think he was suggesting that traffic was not being forwarded by your internal Load Balancer (LB) to the firewall(s). The LB should be configured with the Palo-Alto's in a backend pool and sending traffic to them if they are 'up' which is done by the LB sending a health probe on port 22. Check the insights/metrics on the LB to see if health probe status is 100%. If not investigate what is blocking the probe.
10-04-2022 06:57 AM
Forgot to say that the 'source' of the health probes is 168.63.129.16/32. Check your NSG's on your palo-alto nics and if applicable your subnets to see if this allowed, best practice is to use the source tag 'AzureLoadBalancer' instead of the IP for your NSG rule
10-07-2022 09:21 AM
The load balancer is set up with port 22 as the health check, the IP address is correct and everything is in the same virtual network, there is no NSG on the palo alto interfaces, yet the health probe is coming back unhealthy.
Is there any configuration I have to do inside palo alto VM to make it accept connections? Is there some resource I can use to figure this out other than having to read a 66 page manual??
10-07-2022 10:05 AM
That page talks about inbound traffic, my use case for paloalto is to have firewall for outbound traffic only.
10-08-2022 10:54 PM
Do you have two VR's?
In summary this is how it works
VR-INT
point route for 168.63.129.16 towards internal interface
point route for internal networks of vnet/subnets towards internal interface
point default route to VR-EXT
VR-EXT
point default route to external interface
point internal routes to VR-INT
If hosting webservers point route to 168.63.129.16 towards external interface for use by external load balancers, if using load balancer on external and have 2 Palos
Assign public IP in Azure to external interface or use NAT gateway
Setup NAT on Palos
Setup UDR's correctly
10-09-2022 09:10 AM
Hi @PepsiEComm ,
I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure
But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.
If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:
- You need to configure interface management profile to allow FW dataplane interface to response to LB probes
- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction
10-11-2022 03:13 PM - edited 10-11-2022 03:30 PM
@aleksandar.astardzhiev wrote:
Hi @PepsiEComm ,
I would suggest you to first carefully go over the whole document from @slashBack link. In addition to that I would also suggest to check the deployment guide from here - https://www.paloaltonetworks.com/resources/reference-architectures/azure
But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.
If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:
- You need to configure interface management profile to allow FW dataplane interface to response to LB probes
- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction
But lets take a step back. From your first post you mentioned you have followed the guide how to deploy single VM-Series FW in Azure. If you are deploying standalone FW and not redundant pair, why do you need internal LB behind the trusted interface? You need load-balancer only if you plan to have two firewall for resiliency.
If you do want to have two firewalls in redundant pair (I don't want to call it HA, because there is no sync in config and sessions doing it this way) you need to follow the guides from the links above. The simple task of adding LB to the deployment actually require couple of changes that are not mentioned in the steps you have followed:
- You need to configure interface management profile to allow FW dataplane interface to response to LB probes
- You need to add static route for 168.63.129.16 pointing to the trust interface, so the firewall can return the traffic in correct direction
I'm using a load balancer because that's what the guide said under Step 8:
Is there a simpler way to do this if you only have one firewall instance and have no need for load balancing or HA?
I just tried setting the Azure route table to skip the load balancer step entirely, to just send traffic directly to the IP address of the Trust interface as well as trying it again to go direct to the IP address of the Untrust interface and there's still the same problem, nothing routes and nothing shows up in the traffic logs.
Is there a quick start guide like this one - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-o... - for this topic? I'm not trying to do rocket science here, just literally trying to get an Azure virtual machine to use the firewall for outbound traffic.
05-15-2023 04:41 AM
Hi Pepsi EComm,
I have the same problem as you, I have configured the route table, I have configured everything related to my palo alto. But I have no way to make the outgoing traffic from my VMs go through the Firewall.
You managed to solve this problem.
Thank you very much in advance.
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!