Service Route considerations on public-cloud-hosted Firewalls configured in Active / Passive HA.

Service Route considerations on public-cloud-hosted Firewalls configured in Active / Passive HA.

9013
Created On 03/16/23 18:49 PM - Last Modified 06/07/23 19:50 PM


Symptom


 
  • Floating IPs won’t move between your public-cloud-hosted Firewalls.
  • A Service Route is configured for DNS traffic for the Management interface, and this Route at some point utilizes, or is translated to, one of the aforementioned floating IPs.

Environment


 
  • Firewalls hosted on a public cloud platform are configured to be in Active / Passive HA and to, via the VM-Series Plugin (Palo Alto Networks, Inc., 2023), move floating IPs in the event of a failover.
  • The Firewalls have a Service Route that causes the Firewall in question to use a dataplane interface (most likely the Trust, Internal, or Private interface) to source DNS traffic for the Management plane.
  • PAN-OS is configured to use one of the aforementioned floating IPs for said Static Route, in one of two ways:
    • DNS traffic sourced from an interface to be directly routed to the DNS, or
    • DNS traffic sourced from an interface to be translated via a SNAT Policy (Palo Alto Networks, Inc., 2023) and then routed to the DNS with the source address changed to a floating IP.

Cause


 
  • In the event of a failover, the VM-Series plugin on the to-be-Active Firewall calls the cloud platform’s API in order to detach the secondary IP configuration from the currently-Active peer, and attach it to the to-be-Active peer before it transitions to the Active state (Palo Alto Networks, Inc., 2023). 
  • In order to do so, the to-be-Active Firewall first requests the DNS to resolve the IP for said API; cached entries will not be used.
  • The Service Route configured will route traffic (either directly or via an SNAT Policy) to a floating IP,  but this will fail because the to-be-Active Firewall doesn't have the floating IP attached to it, in the first place.


Resolution


 
  • Do not use Service Routes for DNS, or for anything else that might hinder the flow of Management traffic to cloud provider APIs.
  • If a Service Route must absolutely be used, configure it such that Management traffic to cloud provider APIs isn’t routed via a floating IP.

Additional Information


 

References

Palo Alto Networks, Inc. (2023, 02 13). Source NAT. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/source-nat

Palo Alto Networks, Inc. (2023, 02 15). Set up Active/Passive HA on Azure. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/configure-activepassive-ha-for-vm-series-firewall-on-azure

Palo Alto Networks, Inc. (2023, 03 13). VM-Series Plugin and Panorama Plugins. Palo Alto Networks TechDocs. https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins/plugins-types
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb5fCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language