Outbound traffic is dropped by VM Series Firewall on Azure

9793

Created On 11/21/22 14:49 PM - Last Modified 07/24/24 22:25 PM

DHCP

Microsoft Azure

Static Routes

Public Cloud

10.2

PAN-OS

VM-Series

Symptom

In Azure, outbound traffic from the inside zone to the outside zone facing the public internet is dropped by the VM-series firewall.
When a client in the outside zone tries to establish a TCP connection with the server in the inside zone in Azure, the firewall will successfully receive the initial SYN packet, but drop the server response SYN-ACK packet from the inside zone.

Most cloud network interface setups in PAN-OS are configured as DHCP, such that static IP assignments are performed from the Azure portal.
When DHCP is enabled on a network interface, the option "Automatically create default route pointing to default gateway provided by server" is checked and therefore enabled.
As a result, the VM-series firewall will import Azure's default route to 168.63.129.16, which is Azure's virtual public IP address used to communicate with Azure platform resources.
If the option is enabled in more than one interface, the default routes pointing to each corresponding interface as next hop will be installed in the routing table with the same default metric of 10.
However, only the route that is installed first will appear as "Active" (see screenshot below).
Therefore, if a default static route is added to the virtual router after the network interfaces have been configured with the above default route import rules, the "Active" default route will point to Azure's 168.63.129.16 and blackhole the traffic that uses the default route (0.0.0.0/0).
This is explained in the article Default Route Behavior When Using an Interface Acting as DHCP Client.

Select the affected interface(s) under Network > Interfaces
Go to the IPv4 tab
Uncheck the "Automatically create default route pointing to default gateway provided by server" option.
Click OK
Commit

Microsoft Azure Documentation: What is IP address 168.63.129.16?