Return traffic is not seen on PA-VM deployed in Azure
Symptom
PA-VM is deployed on Azure and traffic from a host residing in a directly connected subnet is received on and forwarded out of the firewall however no return traffic is seen.
-
Setup the packet filters for the specific source/destination pair under Firewall WebUI > Monitor > Packet Capture > Configure Filtering > Manager Filters and turn ON Filtering
-
Run the below CLI command on PA-VM to verify if any packets are received by the firewall:
> show counter global filter delta yes packet-filter yes
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 6979948287 46 info packet pktproc Packets received
pkt_sent 24087067 0 info packet pktproc Packets transmitted
session_allocated 21511291 0 info session resource Sessions allocated
session_installed 15969540 0 info session resource Sessions installed
-
Above CLI output shows packets being received on the firewall and forwarded out. If the packets were dropped on the firewall, adopt PAN-OS troubleshooting to isolate it further.
-
In this case, no return traffic is seen under Traffic logs or Session details. In this case issue can be either on the firewall or on the egress end, follow below steps to isolate it further:
- Verify if NAT is configured on Firewall
- Verify if Azure Public IP is associated with the Private IP configured on the egress interface
- Verify if default route is configured on Azure egress subnet pointing to Internet
- Verify if Azure Network Security Group configured for the egress interface and egress subnet is allowing traffic to the destination
Environment
- Platform: VM-Series Firewall
- PAN-OS / Plugin Version: 8.0.0 / -
- Deployment: Azure
Cause
- Default route is not configured on the egress Azure subnet
Resolution
- Configure default route on Azure egress subnet pointing to Internet