AWS ALB Health check to a Palo Alto Firewall fails
Symptom
- AWS ALB when configured to monitor Palo Alto for health check shows the instance as unhealthy.
- Sample setup:
Environment
- Firewall: PA VM (All series)
- Cloud: AWS
- Cloud: AWS Load Balancers
Cause
- Note that whenever a Palo Alto Firewall needs to be used with a Load Balancer the interfaces need to be swapped. i.e Eth0 will be firewall’s Eth1/1 and Eth1 will be the Management interface.
- The Application Load balancer will now probe eth1/1 of the firewall.
- Multiple causes:
b) LB IP not included under permitted IPs
c) Incorrect URL path or success codes for LB
Resolution
There are 2 ways to achieve successful health probe.
A] Configure the path as “/” in the target group (Will have to change the success code in Target group)
-
Configure the path as “/” in the target group.
-
Configure a Management profile allowing “http” and attach it to the interface eth1/1 on the firewall.
-
To restrict further add permitted IP (Load Balancer’s IP) in the management profile.
-
How to find Application Load Balancer’s IP address?
1. Open the EC2 console.
2. Under Load Balancing, choose Load Balancers from the navigation pane.
3. Select the load balancer that you're finding IP addresses for.
4. On the Description tab, copy the Name.
5. Under Network & Security, choose Network Interfaces from the navigation pane.
6. Paste the load balancer name that you copied in step 4 in the search box. The filtered results show all elastic network interfaces associated with the load balancer.
7. For each of the elastic network interfaces in the filtered results:
Select the elastic network interface.
Choose the Details tab.
Find the interface that contains an IP address for Primary private IPv4 IP. This is the primary private IP address of the elastic network interface.
-
Attach the management profile to eth1/1.
- Since the path mentioned in Target group is “/”,
-
Since the code returned is 302 and the default success code in AWS target group is 200. Hence the targets will still be unhealthy.
-
So, you need to change the success code from 200 to 302 in the target group.
- These changes should get the targets as healthy.
B] Configure the path as “/php/login.php” in the target group. Starting with PAN-OS versions 10.1.9, 10.2.4, 11.0.0, use "/unauth/php/health.php" as the preferred probing endpoint
Path :
Success codes:
The target should be healthy: