06-13-2020 10:32 AM
Hi Team, I have set-up a Palo Alto appliance in Azure and i am trying to allow public access (RDP) to a server in Azure via the firewall. Here's what I have done:
Now, the issue is when I try to RDP to the public IP, the traffic is not even hitting the firewall. Need urgent help on this.
06-13-2020 12:00 PM
The public IP should not be defined on the firewall. The firewall interfaces should be configured for DHCP and have static assignments from the trust/untrust VNETS.
You can optionally have the firewall learn the default route via DHCP or configure it statically.
06-13-2020 12:50 PM
06-13-2020 12:51 PM
It is set to any at this point. So, I don't think that should be the issue.
06-13-2020 03:14 PM
Traditional HA is not typically the preferred solution for high availability in the cloud.
That said, even with a traditional HA config, the public IP is not configured on the firewall. The interface IP addresses are from the directly connected subnets, including the IP that acts as the "floating" IP when the firewalls fail over.
The "floating" IP is a private/static IP defined in azure and configured as a secondary interface IP on the firewall. A public IP is then associated with this "floating" private IP in Azure.
06-14-2020 01:09 AM
Got the trick. Although the way I defined the Public IP was correct. The Palo does not see the traffic with PIP, I changed the NAT and security policy to land to the Private IP on which the Public was defined and it worked.
06-14-2020 08:36 AM
That is correct. The only time, I recall, that the firewall will see the original, un-translated public destination IP is when you front end the firewall with a public standard load balancer and enable the "floating IP" option. In that configuration, you do reference the public IP associated with the load balancer in the NAT policy of the firewall.
It wasn't clear from your original post that you were attempting to use the public IP in your NAT rule so sorry for that assumption on my part.
When you associate a public IP to a private IP in Azure it handles the NAT. That is why you don't need a public IP configured on the management interface of the firewall, just like you don't need a public IP configured on the un-trust interface.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!