PA Azure no public traffic ingressing

Reply
Highlighted
L5 Sessionator

PA Azure no public traffic ingressing

Hi Team,

 

I've set up a public load balancer, with its respective backend pool pointing to the firewalls untrust interfaces and a test load balancing rule, but no matter what, nothing is ingressing on our public interface! The weird thing is, the untrust interface the firewall has, also has a public IP attached to it, and I'm not seeing any generic scanner traffic ingressing on the untrust interface either?

 

I can ping from the outside interface to google, and vms within trust can also get out to the internet, so return traffic is working. The health probe status is also 100 for both firewalls. No NSGs attached.

 

Help!

Highlighted
L4 Transporter

Did you attach an NSG to the Untrust interface?  When you assign a PIP to the interface an NSG is required even if it allows all traffic.

Highlighted
L5 Sessionator

Hey @jmeurer 

 

Didn't originally since I thought no NSG meant allow all. I've applied an allow-all one to the untrust interface now and I'm seeing traffic thats hitting the palos untrust public IP. but not the public ip of the load balancer, any ideas?

Highlighted
L4 Transporter

Are you seeing the Health probe traffic?  Azure's LB does not easily report pool member status, you have to go to Metrics.  The easiest way to determine if the Health Probes are working is to ensure you see the traffic in the FW Monitor/Session Browser and ensure it is completing.  

Highlighted
L5 Sessionator

Looking at the metrics, both firewalls are showing as 100% healthy.

 

The traffic is now coming from outside -> into the load balancer -> into the firewall -> we are sending it from the firewall to the test web server but if we do a pcap on the test web server, it doesn't see anything.

Highlighted
L4 Transporter

Assuming your SNAT/DNAT rules are correct, routes in the firewall send the traffic through proper interface to get to the internal site, Azure route tables and NSGs all correct, I believe you are at the point of reaching out to you Account SE and Support for further eyes on console diagnostics.

Highlighted
L0 Member

We ran into this very same issue.  The solution for us was to enable the "Floating IP" in the "load balancing rules" section in Azure.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!