Issue with Cisco FTDv with Azure Gateway Load Balancer

Raviraj Velankar 91 Reputation points
2023-04-18T18:25:41.62+00:00

I have following query/concern with Cisco FTDv ( Firepower Threat Defense virtual firewall) implementation in Azure with Azure Gateway Load Balancer design.
Context In following design; Cisco Firewalls (virtual appliances) are deployed as 'VM scale set' & are configured as backend pool to Azure Gateway LBs. Communication between Azure GWLB & Cisco Firewall are based on VXLAN tunnels. Azure GWLB is associated/configured in Azure External LB Public Front-end hence inbound/outbound traffic from Azure External LB is transparently forwarded to Azure GWLB & then to Cisco FTDv for inspection. We need to configure outbound rule in Ext LB to route outbound Internet traffic from Internal VM towards Internet. There is an issue with outbound traffic from internal VMs (configured as backend pool of Azure External LB).
Actual Issue - Since Azure Ext LB is doing source NAT of outbound traffic from VM and then transparently forwarding that traffic to Azure GWLB & then to Cisco FW for inspection; Cisco FWs will be able to see source IP as Azure External LB Public IP only and not the actual VM Server private IP. Please note - Cisco FTDv deployed with this design does not have specific Interface with public IP address (except Mgmt Interface) so that we can configure source NAT in Cisco FW instead of Azure Ext LB and directly point outbound Internet traffic to Azure GWLB Frontend IP address. Is there any way or alternate solution with this GWLB design so that Cisco Firewalls can able to see original private IP of VM Servers or whether it is feasible or not feasible. Appreciate quick response or alternate solution if any. Thanks. User's image

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
439 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee
    2023-04-19T05:24:19.89+00:00

    @Raviraj Velankar

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    You have shared the diagram of incoming traffic, however, I believe you are referring to the below instead. User's image

    Your observation is correct. Outbound traffic would use the Ext LB's Public IP and the NVA Appliances would see the Public IP of the Ext LB. This is an expected behavior and is by design. Unfortunately, we cannot override this.

    However, if you go to Gateway Load Balancer partners and select CISCO,

    • We arrive at a How to Wiki from CISCO.
    • And it appears they are aware of this behavior and has still configured outbound use case.
    • So I would recommend you to check the CISCO Documentation on how this is done and if your specific OS supports this or not.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.