PA Azure no public traffic ingressing

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

PA Azure no public traffic ingressing

L5 Sessionator

Hi Team,


I've set up a public load balancer, with its respective backend pool pointing to the firewalls untrust interfaces and a test load balancing rule, but no matter what, nothing is ingressing on our public interface! The weird thing is, the untrust interface the firewall has, also has a public IP attached to it, and I'm not seeing any generic scanner traffic ingressing on the untrust interface either?


I can ping from the outside interface to google, and vms within trust can also get out to the internet, so return traffic is working. The health probe status is also 100 for both firewalls. No NSGs attached.




L4 Transporter

Did you attach an NSG to the Untrust interface?  When you assign a PIP to the interface an NSG is required even if it allows all traffic.

Hey @jmeurer 


Didn't originally since I thought no NSG meant allow all. I've applied an allow-all one to the untrust interface now and I'm seeing traffic thats hitting the palos untrust public IP. but not the public ip of the load balancer, any ideas?

Are you seeing the Health probe traffic?  Azure's LB does not easily report pool member status, you have to go to Metrics.  The easiest way to determine if the Health Probes are working is to ensure you see the traffic in the FW Monitor/Session Browser and ensure it is completing.  

Looking at the metrics, both firewalls are showing as 100% healthy.


The traffic is now coming from outside -> into the load balancer -> into the firewall -> we are sending it from the firewall to the test web server but if we do a pcap on the test web server, it doesn't see anything.

Assuming your SNAT/DNAT rules are correct, routes in the firewall send the traffic through proper interface to get to the internal site, Azure route tables and NSGs all correct, I believe you are at the point of reaching out to you Account SE and Support for further eyes on console diagnostics.

We ran into this very same issue.  The solution for us was to enable the "Floating IP" in the "load balancing rules" section in Azure.

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!