Return traffic is not seen on firewall deployed in AWS
7717
Created On 03/18/20 03:08 AM - Last Modified 04/06/20 17:39 PM
Symptom
PA-VM is deployed on AWS and traffic from a host residing in a directly connected subnet is received on and forwarded out of the firewall however no return traffic is seen.
- Setup the packet filters for the specific source/destination pair under Firewall WebUI > Monitor > Packet Capture > Configure Filtering > Manager Filters and turn ON Filtering
- Run the below CLI command on PA-VM to verify if any packets are received by the firewall:
> show counter global filter delta yes packet-filter yes
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 6979948287 46 info packet pktproc Packets received
pkt_sent 24087067 0 info packet pktproc Packets transmitted
session_allocated 21511291 0 info session resource Sessions allocated
session_installed 15969540 0 info session resource Sessions installed
name value rate severity category aspect description
--------------------------------------------------------------------------------
pkt_recv 6979948287 46 info packet pktproc Packets received
pkt_sent 24087067 0 info packet pktproc Packets transmitted
session_allocated 21511291 0 info session resource Sessions allocated
session_installed 15969540 0 info session resource Sessions installed
- Above CLI output shows packets being received on the firewall and forwarded out. If the packets were dropped on the firewall, adopt PAN-OS troubleshooting to isolate it further.
- In this case, no return traffic is seen under Traffic logs or Session details. In this case issue can be either on the firewall or on the egress end, follow below steps to isolate it further:
- Verify if NAT is configured on Firewall
- Verify if AWS Elastic IP is associated with the Private IP configured on the egress interface
- Verify if default route is configured on AWS egress subnet pointing to Internet / NAT Gateway
- Verify if AWS Security Group configured for the egress interface is allowing traffic to the destination
- Verify if NACL on the egress subnet is allowing the traffic in question
- Verify if AWS Elastic IP is associated with the Private IP configured on the egress interface
- Verify if default route is configured on AWS egress subnet pointing to Internet / NAT Gateway
- Verify if AWS Security Group configured for the egress interface is allowing traffic to the destination
- Verify if NACL on the egress subnet is allowing the traffic in question
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: 9.0.4 / -
- Deployment: AWS
Cause
- Default route is not configured on the egress AWS subnet
Resolution
- Configure default route on AWS egress subnet pointing to Internet / NAT Gateway