Palo Alto Firewall and Static Route Problems

collinscochran · February 24, 2021, 8:42pm

Hello!

I’m working on integrating a new Palo Alto firewall into a setup, but I’m having some trouble getting the Peplink Balance router to accept traffic and make the correct routes to the correct remote VPN networks.

I’ll attach a diagram, but the basics of the system is that the PA firewall is the default gateway, installed in the route table is a static route that does a next hop IP address to the LAN IP address of the Balance 380 in our facility, that should route that traffic accordingly to remote sites, and replies come through the same path back.

The weird part is that I am able to ping any/all devices on the remote network, but I am unable to get any other traffic to pass correctly. I’ve disabled all the rules/policies on the firewall, it just seems like the traffic doesn’t make it.

Am I just going about the architecture wrong? I had an edgerouter infinity in the place of the PA before, and those static routes seemed to work okay, but I’ve tried everything I can think of and am wondering if there’s a setting I need to modify on the Balance to accept the traffic and forward it.

Ron_Case · February 24, 2021, 9:03pm

You mentioned the Palo Alto firewall is the default gateway so it is routing between two interfaces then? If so, is the Palo Alto doing a NAT? Is the Balance deployed as drop-in mode or NAT mode?

collinscochran · February 25, 2021, 8:23pm

The PA is the gateway at one site, but the HD4 is the gateway at the other site. So internet traffic at both sites will go through their own gateways, unless it is destined for a subnet at a remote site. There are more HD4’s in the picture here, but we’re ignoring those for now.

The PA is doing NAT for internet traffic at site A, the HD4 is doing NAT for the internet at Site B. Currently they’re not deployed as purely drop-in mode, I’m jus using them in NAT mode and passing traffic destined for other subnets into the LAN port, which worked until I had to make the same static routes in the new firewall.

The crux of it all, is why can I ping, but not move anything else?

Ron_Case · February 25, 2021, 8:51pm

OK, so an HD4 LAN client would not get a NAT when going through the VPN. The firewall knows how to get to those remote networks by pointing to the Balance but does it have a NAT exemption policy for this traffic?

Source = remote private networks
Destination = local private network
Don’t NAT

Source = local private network
Destination = remote private networks
Don’t NAT

Is it possible that ping requests are getting to the Site A network but the PA is doing a NAT with the ping response?

collinscochran · February 27, 2021, 5:33pm

Continuing the discussion from Palo Alto Firewall and Static Route Problems:

So I went back through it, I confirmed that there is no NAT happening based on the firewall logs, but I did also find a startling lack of traffic coming from the Balance 380 back into the firewall, where it would need to go as the default gateway in order to reach the subnets correctly, i imagine.

Currently, the firewall LAN IP for the 10.60.100.0/24 resides at 10.60.100.43, and the Palo Alto firewall points traffic to that .43 address as the next hop, on that network interface (a vlan inside an aggregate ethernet device). Traffic is taking the right route, using the right policy, the return traffic is just getting lost somewhere.

Would it be a better idea to just make this its own interface altogether? Do I need to configure the balance in drop-in mode to make this work? I’d rather not put it in the way of our primary internet connection, even though that would be the easiest solution here.

collinscochran · February 27, 2021, 5:36pm

This article is essentially my workflow, except for the HD4 is also the firewall at the remote site, but won’t be for very long. I’m working on duplicating this as well, but any other things I should try would be appreciated.