Traffic is not received on firewall deployed in AWS

7383

Created On 03/18/20 02:52 AM - Last Modified 04/06/20 17:38 PM

AWS

AWS GovCloud

Public Cloud

PAN-OS

VM-Series

Symptom

PA-VM is deployed on AWS and traffic from a host residing in a directly connected subnet with default route as the firewall interface is not received on the firewall.

Setup the packet filters for the specific source/destination pair under Firewall WebUI > Monitor > Packet Capture >Configure Filtering > Manager Filters and turn ON Filtering
Run the below CLI command on PA-VM to verify if any packets are received by the firewall:

show counter global filter delta yes packet-filter yes

Global counters:
Elapsed time since last sampling: 1.559 seconds

--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------

Above CLI output shows packets are not received on the firewall and indicates and issue is on the ingress end, follow below steps to isolate it further:

- Verify if AWS Security Group configured for the ingress interface is allowing traffic to the destination
- Verify if NACL on the ingress subnet is allowing the traffic in question
- Verify if Source/Destination check is disabled for Ingress interface.
- Verify the routing on AWS ingress subnet, it should have a route pointing to ingress interface of firewall.

Environment

Platform: PA-VM
PAN-OS / Plugin Version: 9.0.4 / -
Deployment: AWS

Cause

In this case, Source/Destination Check was enabled on ingress interface so no packets were received on the firewall.

Resolution

Disable Source/Dest. Check on ingress interface under AWS EC2 > Network Interfaces > Actions

Traffic is not received on firewall deployed in AWS

Symptom

Environment

Cause

Resolution

Other users also viewed: