there could be a variety of reasons for this:
1 - you often need to enable IP forwarding on the network interface card (NIC) to allow the virtual appliance to receive and forward traffic that is not destined for itself.
2 - Even if the GWLB is tied to the external interface, it's a good idea to double-check its configuration to the backend address pool of the GWLB
3 - For inbound traffic, Azure first processes rules in a network security group associated with a subnet first, if one exists, you need it also allow inbound traffic in the subnet's NSG
You can cheg
Oficial doc
Reference bellow: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-with-the-azure-gwlb
The init-cfg.txt file is required to bootstrap the VM-Series firewall. It provides the basic information the firewall needs to connect to your network. The init-cfg.txt file in the bootstrap folder includes the following information.
- To deploy the solution with default ports:
plugin-op-commands=azure-gwlb-inspect:enable
- To deploy the solution with custom ports, use the sample command in the init-cfg.txt file if custom data field is used to define the VNI IDs and port information. You must define the internal and external VNI identifiers in the range of 800 to 1000.
plugin-op-commands=azure-gwlb-inspect:enable+internal-port-<internalport>+external-port-<externalport>+internal-vni-<internalvni>+external-vni-<internalvni>
If you choose to use custom ports, use these sample commands to configure the GWLB.
az network lb address-pool tunnel-interface add --resource-group <myResourceGroup> --lb-name <myGatewayLoadBalancer> --address-pool <myBackendPool> --type external --protocol vxlan --identifier <VNI> --port <port>
az network lb address-pool tunnel-interface add --resource-group <myResourceGroup> --lb-name <myGatewayLoadBalancer> --address-pool <myBackendPool> --type internal --protocol vxlan --identifier <VNI> --port <port>
If you do not bootstrap the firewall, the
user data
is used to configure the ports and VNI IDs. Use the following sample commands on the firewall CLI to enable or disable GWLB, configure custom ports and VNI IDs, and view GWLB status and port/VNI ID mapping.
request plugins vm_series azure gwlb inspect enable yes
request plugins vm_series azure gwlb parameters internal-port 2000 external-port 2001 internal-vni 800 external-vni 801
show plugins vm_series azure gwlb
Get in touch if you need more help with this issue.
--please don't forget to "[Accept the answer]" if the reply is helpful--