Public Inbound Traffic not hitting the firewall

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public Inbound Traffic not hitting the firewall

L1 Bithead

Hi Team, I have set-up a Palo Alto appliance in Azure and i am trying to allow public access (RDP) to a server in Azure via the firewall. Here's what I have done:

  1. Attached a public IP to the Untrust interface of the Firewall (NSG attached to allow all traffic)
  2. Defined this Public IP in Untrust ethernet in the firewall
  3. Defined a NAT and security policy to allow natting to the private IP and these are correct (tested via GUI and SSH)

Now, the issue is when I try to RDP to the public IP, the traffic is not even hitting the firewall. Need urgent help on this. 




L2 Linker

The public IP should not be defined on the firewall.  The firewall interfaces should be configured for DHCP and have static assignments from the trust/untrust VNETS.


You can optionally have the firewall learn the default route via DHCP or configure it statically.

L0 Member
Ensure that the protocol is set to TCP not UDP. Confirm the TCP port is 3389.

I have this set-up in HA, if I enable DHCP, I cannot define IPs there in the interface.

It is set to any at this point. So, I don't think that should be the issue.

Traditional HA is not typically the preferred solution for high availability in the cloud.


That said, even with a traditional HA config, the public IP is not configured on the firewall.  The interface IP addresses are from the directly connected subnets, including the IP that acts as the "floating" IP when the firewalls fail over.


The "floating" IP is a private/static IP defined in azure and configured as a secondary interface IP on the firewall.  A public IP is then associated with this "floating" private IP in Azure.

Got the trick. Although the way I defined the Public IP was correct. The Palo does not see the traffic with PIP, I changed the NAT and security policy to land to the Private IP on which the Public was defined and it worked.

That is correct.  The only time, I recall, that the firewall will see the original, un-translated public destination IP is when you front end the firewall with a public standard load balancer and enable the "floating IP" option.  In that configuration, you do reference the public IP associated with the load balancer in the NAT policy of the firewall.


It wasn't clear from your original post that you were attempting to use the public IP in your NAT rule so sorry for that assumption on my part.


When you associate a public IP to a private IP in Azure it handles the NAT.  That is why you don't need a public IP configured on the management interface of the firewall, just like you don't need a public IP configured on the un-trust interface.

  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!