Alibaba Cloud: Health status of PA-VM deployed behind the public load balancer shows “Abnormal”
6554
Created On 03/23/20 18:16 PM - Last Modified 01/05/23 21:57 PM
Symptom
- Health check to PA-VM Firewall deployed behind the public load balancer shows “Abnormal” even though we see the traffic on the firewall.
- Verify if Alibaba Cloud has Listener configured.
Navigate to: Server Load Balancer > Listener
- Notice the Health Status shows “Abnormal” for the Listener
- Check for the status codes allowed. By default, Alibaba allows both 2xx and 3xx status codes.
Navigate to: Server Load Balancer > Listener > Configure > Health Check > Modify - If code http_3xx is not checked, make sure the Health check path is set to /php/login.php
- Based on config, the load balancer will be monitoring http over tcp port 80 on firewalls untrust interface
- Ensure these health probes are allow by Security Policy
- Check for health probes under the session browser of the firewall.
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: Any
Cause
HTTP service was not enabled in the management profile that was attached to the untrust interface connected to the Load Balancer.
Resolution
- Enable HTTP service under Interface Management Profile attached to the interface that connects to the Alibaba Load Balancer.
- This can be done by GUI: Network > Network Profiles > Interface Mgmt > (select the profile) > click on HTTP and "OK"
- Commit the configuration