AWS ALB Health check to a Palo Alto Firewall fails

AWS ALB Health check to a Palo Alto Firewall fails

46427
Created On 02/13/20 15:22 PM - Last Modified 04/22/24 20:13 PM


Symptom


  • AWS ALB when configured to monitor Palo Alto for health check shows the instance as unhealthy. 
  • Sample setup:

 

Environment


  • Firewall: PA VM (All series)
  • Cloud: AWS
  • Cloud: AWS Load Balancers

Cause


  • Note that whenever a Palo Alto Firewall needs to be used with a Load Balancer the interfaces need to be swapped. i.e Eth0 will be firewall’s Eth1/1 and Eth1 will be the Management interface.
https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/use-the-vm-series-firewall-cli-to-swap-the-management-interface.html
  • The Application Load balancer will now probe eth1/1 of the firewall. 
  • Multiple causes: 
a) No Mgmt profiles attached to the interface
b) LB IP not included under permitted IPs
c) Incorrect URL path or success codes for LB

 

Resolution


There are 2 ways to achieve successful health probe.
A] Configure the path as “/” in the target group (Will have to change the success code in Target group)

  1. Configure the path as “/” in the target group.

  2. Configure a Management profile allowing “http” and attach it to the interface eth1/1 on the firewall.

  3. To restrict further add permitted IP (Load Balancer’s IP) in the management profile.

  4. How to find Application Load Balancer’s IP address?
    1. Open the EC2 console.
    2. Under Load Balancing, choose Load Balancers from the navigation pane.
    3. Select the load balancer that you're finding IP addresses for.
    4. On the Description tab, copy the Name.
    5. Under Network & Security, choose Network Interfaces from the navigation pane.
    6. Paste the load balancer name that you copied in step 4 in the search box. The filtered results show all elastic network interfaces associated with the load balancer.
    7. For each of the elastic network interfaces in the filtered results:
    Select the elastic network interface.
    Choose the Details tab.
    Find the interface that contains an IP address for Primary private IPv4 IP. This is the primary private IP address of the elastic network interface.
     

  5.  Attach the management profile to eth1/1.

  6. Since the path mentioned in Target group is “/”,
As per the Target group the probe will be a HTTP on port 80 and the path mentioned is “/”, the response code that the firewall returns will be 302.

  • Since the code returned is 302 and the default success code in AWS target group is 200. Hence the targets will still be unhealthy.

  • So, you need to change the success code from 200 to 302 in the target group.

 

 

  • These changes should get the targets as healthy.


B] Configure the path as “/php/login.php” in the target group. Starting with PAN-OS versions 10.1.9, 10.2.4, 11.0.0, use  "/unauth/php/health.php" as the preferred probing endpoint

The only change here would be the path and the status code in Target group.
 

Path :

                
        Success codes:


The target should be healthy:

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POfaCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language