I am not able to connect to the web admin page of my palo alto NVA from outside of Azure.

Steve Osterfoss 20 Reputation points
2023-10-09T19:53:11.9766667+00:00

I have a Palo Alto VM-Series firewall in my Azure subscription. I am not able to reach the public IP address of the management interface. Azure troubleshooter says that traffic from my IP to the public IP of the VM is allowed. The VM is powered on. I was able to connect to the web interface until I spun up an Azure gateway load balancer. The GWLB is tied to the external (untrust) interface of the Palo Alto, not to the Management interface that I am trying to connect to currently. I am missing some piece of the puzzle. (obviously)

What else could I check to help identify the issue? Any help is appreciated. Thank you.

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
416 questions
0 comments
Accepted answer
  1. Jackson Martins 10,126 Reputation points MVP
    2023-10-09T20:08:11.6466667+00:00

    Hi @Steve Osterfoss

    there could be a variety of reasons for this:

    1 - you often need to enable IP forwarding on the network interface card (NIC) to allow the virtual appliance to receive and forward traffic that is not destined for itself.

    2 - Even if the GWLB is tied to the external interface, it's a good idea to double-check its configuration to the backend address pool of the GWLB

    3 - For inbound traffic, Azure first processes rules in a network security group associated with a subnet first, if one exists, you need it also allow inbound traffic in the subnet's NSG
    You can cheg

    Oficial doc

    Reference bellow: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/deploy-the-vm-series-firewall-with-the-azure-gwlb

    The init-cfg.txt file is required to bootstrap the VM-Series firewall. It provides the basic information the firewall needs to connect to your network. The init-cfg.txt file in the bootstrap folder includes the following information.

    • To deploy the solution with default ports:
    plugin-op-commands=azure-gwlb-inspect:enable
    • To deploy the solution with custom ports, use the sample command in the init-cfg.txt file if custom data field is used to define the VNI IDs and port information. You must define the internal and external VNI identifiers in the range of 800 to 1000.
    plugin-op-commands=azure-gwlb-inspect:enable+internal-port-<internalport>+external-port-<externalport>+internal-vni-<internalvni>+external-vni-<internalvni>

    If you choose to use custom ports, use these sample commands to configure the GWLB.

    az network lb address-pool tunnel-interface add --resource-group <myResourceGroup> --lb-name <myGatewayLoadBalancer> --address-pool <myBackendPool> --type external --protocol vxlan --identifier <VNI> --port <port>

az network lb address-pool tunnel-interface add --resource-group <myResourceGroup> --lb-name <myGatewayLoadBalancer> --address-pool <myBackendPool> --type internal --protocol vxlan --identifier <VNI> --port <port>

    If you do not bootstrap the firewall, the

    user data

    is used to configure the ports and VNI IDs. Use the following sample commands on the firewall CLI to enable or disable GWLB, configure custom ports and VNI IDs, and view GWLB status and port/VNI ID mapping.

    request plugins vm_series azure gwlb inspect enable yes
request plugins vm_series azure gwlb parameters internal-port 2000 external-port 2001 internal-vni 800 external-vni 801
show plugins vm_series azure gwlb

    Get in touch if you need more help with this issue.

    --please don't forget to "[Accept the answer]" if the reply is helpful--

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest