Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it

L0 Member


my existing environment have a nearly 20 AWS load balancers which are public facing, now I want to implement Palo Alto VM 300 behind this ELBs, and monitor and trasalate the traffic to the backend instances. 


I've tested this requirement with one load balacners, however when I'm adding my second load balancer, the port trasalation is not working as expected.


Secondly I also have some classic load balacners which are required to send the traffic to the VM 300, as per the Palo Alto knowledge base, we have to do only the interface swapping in the AWS environment for the CLassic ELB, however its not working,


Any help appreciated




L4 Transporter

In order to bring multiple applications through the firewalls, you need to differentiate them in someway.  You can either consider adding secondary IPs to the Untrust ENI and have the Load Balancers target the individual IPs if using ALB or NLB or use PAT to use a port per app on the Untrust interface which will be necessary Instance targeting LBs.  You then configure the NAT rules per app to destination translate the Untrust port to the application server port with the source translated to the Trust Interface.



LB1:443 -> Untrust:1443 -> App1:443

LB2:443 -> Untrust:2443 -> App2:443


Have a look Autoscale v2.0 model currently in Beta utilizing the method.


To Answer your interface swap question, whenever you use an Instance as a target on any of the load balancers, you need to perform Interface Swap on the Firewalls.  Instance targeting only supports ETH0.  If you use IP address targeting, then you can select the correct IP if Inteface Swap is not implemented.



L5 Sessionator



To start we need to a bit more about your configuration and topology. You mention 20 load balancers and also some classic load balancers also. just from that statement I am assuming the 20 AWS load balancers are all ALB is this correct? Are all these load balancers in the same AZ? Can you provide a detail of your architecture so we can understand what you are lookingn to accomplish?

Also when you say you are not receiving the expecfted behavior, please elaborate on what type of behavior you are receiving?

What is the difference in the traffic source per load balancer? 

Also the ethernet swap must happen whether using Application LB's or Classic LB's because Dataplane traffic has to be received on Eth0.

See link below for Details.



Management Interface Mapping for Use with Amazon ELB


Just off the top of my head you have to be sure to select the appropriate subnet for the firewall eth0 BUT the eth0 interface has to be swapped. 

Also how are you swapping the ENI's?

Please answer these questions and provide a diagram of what you are looking to accomplish as well. Once I receive that I can take a look at it and we can go from there. Thanks Nithin.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!