Traffic is not received on firewall deployed in AWS
7383
Created On 03/18/20 02:52 AM - Last Modified 04/06/20 17:38 PM
Symptom
PA-VM is deployed on AWS and traffic from a host residing in a directly connected subnet with default route as the firewall interface is not received on the firewall.
- Setup the packet filters for the specific source/destination pair under Firewall WebUI > Monitor > Packet Capture >Configure Filtering > Manager Filters and turn ON Filtering
- Run the below CLI command on PA-VM to verify if any packets are received by the firewall:
show counter global filter delta yes packet-filter yes
Global counters:
Elapsed time since last sampling: 1.559 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
Elapsed time since last sampling: 1.559 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
- Above CLI output shows packets are not received on the firewall and indicates and issue is on the ingress end, follow below steps to isolate it further:
- Verify if AWS Security Group configured for the ingress interface is allowing traffic to the destination
- Verify if NACL on the ingress subnet is allowing the traffic in question
- Verify if Source/Destination check is disabled for Ingress interface.
- Verify the routing on AWS ingress subnet, it should have a route pointing to ingress interface of firewall.
- Verify if NACL on the ingress subnet is allowing the traffic in question
- Verify if Source/Destination check is disabled for Ingress interface.
- Verify the routing on AWS ingress subnet, it should have a route pointing to ingress interface of firewall.
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: 9.0.4 / -
- Deployment: AWS
Cause
- In this case, Source/Destination Check was enabled on ingress interface so no packets were received on the firewall.
Resolution
- Disable Source/Dest. Check on ingress interface under AWS EC2 > Network Interfaces > Actions