- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-31-2019 04:34 AM
Hi Team,
I've set up a public load balancer, with its respective backend pool pointing to the firewalls untrust interfaces and a test load balancing rule, but no matter what, nothing is ingressing on our public interface! The weird thing is, the untrust interface the firewall has, also has a public IP attached to it, and I'm not seeing any generic scanner traffic ingressing on the untrust interface either?
I can ping from the outside interface to google, and vms within trust can also get out to the internet, so return traffic is working. The health probe status is also 100 for both firewalls. No NSGs attached.
Help!
10-31-2019 05:30 AM
Hey @jmeurer
Didn't originally since I thought no NSG meant allow all. I've applied an allow-all one to the untrust interface now and I'm seeing traffic thats hitting the palos untrust public IP. but not the public ip of the load balancer, any ideas?
10-31-2019 05:42 AM
Are you seeing the Health probe traffic? Azure's LB does not easily report pool member status, you have to go to Metrics. The easiest way to determine if the Health Probes are working is to ensure you see the traffic in the FW Monitor/Session Browser and ensure it is completing.
10-31-2019 06:53 AM - edited 10-31-2019 06:54 AM
Looking at the metrics, both firewalls are showing as 100% healthy.
The traffic is now coming from outside -> into the load balancer -> into the firewall -> we are sending it from the firewall to the test web server but if we do a pcap on the test web server, it doesn't see anything.
10-31-2019 07:02 AM
Assuming your SNAT/DNAT rules are correct, routes in the firewall send the traffic through proper interface to get to the internal site, Azure route tables and NSGs all correct, I believe you are at the point of reaching out to you Account SE and Support for further eyes on console diagnostics.
06-18-2020 05:24 AM
We ran into this very same issue. The solution for us was to enable the "Floating IP" in the "load balancing rules" section in Azure.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!