GCP Health Checks to Palo Alto VM Instance is Failing

GCP Health Checks to Palo Alto VM Instance is Failing

15407
Created On 03/18/20 17:57 PM - Last Modified 04/03/20 23:52 PM


Symptom


  • GCP Health Checks to Palo Alto VM Instance is Failing
User-added image
  • Review traffic Logs and Session details

Environment


  • Platform: PAN-OS
  • Deployment: VM-Series

Cause


  • DNAT policy on the firewall to translate the destination of the health check packets to the firewall interface IP address. This is needed as per the statement below, essentially the health checks are sent to the Palo with a destination IP of the GCP ILB VIP address, this of course means that the Palo will not reply to the requests, unless there is a DNAT policy in place.

Resolution


  • “Unlike a device-based or instance-based load balancer, Internal TCP/UDP Load Balancing doesn't terminate connections from clients. Instead of traffic being sent to a load balancer then onto backends, traffic is sent to the backends directly. The GCP Linux or Windows guest environment configures each backend VM with the IP address of the load balancer, and GCP virtual networking manages traffic delivery, scaling as appropriate.”
https://cloud.google.com/load-balancing/docs/internal/
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP9QCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail