Firewall on Azure - no ARP entry on the Internet interface

Firewall on Azure - no ARP entry on the Internet interface

2333
Created On 05/08/23 01:56 AM - Last Modified 07/17/24 21:19 PM


Symptom


  • The Internet interface (e.g. eth1/1) is configured with static IP address on Azure PA firewall
  • No valid ARP entry on the Internet interface
  • Not able to reach the Azure vnet gateway (first IP address in the vnet)

Environment


  • Palo Alto VM based Firewalls
  • Supported PAN-OS
  • Azure Platform

Cause


  • Incorrect Subnet mask configured.
  • In this example, the subnet mask is statically configured as /32. This subnet mask does not match that of Azure vnet subnet mask.

Resolution


  1. Manually configure the correct subnet mask and default gateway on the Internet interface.
  2. Alternatively, Use DHCP on the Internet interface, which will assign the IP address and subnet mask automatically on the Internet interface.
  3. Once configured, confirm the ARP entry for default gateway using "show arp all" CLI command.

Additional Information


The default gateway of Azure vnet is usually the first available IP address of the vnet - Azure vnet FAQ
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1iMCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail