cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

question about Route tables and network virtual appliance

hobbssj
Brass Contributor

‎Jan 06 2021 05:26 AM - edited ‎Jan 06 2021 12:13 PM

‎Jan 06 2021 05:26 AM - edited ‎Jan 06 2021 12:13 PM

question about Route tables and network virtual appliance

I'm setting up routing in Azure using a Network Virtual Appliance firewall. 

 

I have all of the routing working to and from the virtual gateway to on perm, however I am struggling to configure the Routing to the internet for azure internal hosts.

 

The internal host and firewall are each in their own subnets. 10.0.7.0/24 and 10.0.1.0/24 respectively. 

 

All the NIC's associated with the firewall have forwarding enabled in Azure and port 4 has a public IP assigned. There are no NSG’s in place.

 

The internal host subnet route table has a route for 0.0.0.0/0 with a destination of the firewall interface on port 2 (10.0.1.5)

 

The firewall has a route for 0.0.0.0/0 to its gateway 10.0.1.1 via port 4 (10.0.1.7) and a route for 10.0.7.0/24 to its gateway 10.0.1.1 via port 2  

The firewall also has a policy allowing traffic on 10.0.1.5 and nating it out port 4 

 

I can see that the firewall is receiving and allowing the traffic to the internet however, there is still no internet connectivity on the internal host.

I’m wondering the firewall subnet need a route table, however I cannot figure out what routes I would  configure without looping the traffic.

 

 

 

Thoughts? 

 

 

Preview file
25 KB
4,841 Views
1 Like
7 Replies
Reply
7 Replies
ibnmbodji

‎Jan 06 2021 11:27 AM

‎Jan 06 2021 11:27 AM

Re: question about Route tables and network virtual appliance

Hi i think you need to draw a diagram so we can see all the flows and try to identify what's wrong . By the way have you tried  the native network troubleshooting tools : 

 

IP Flow Verify 

Connection Monitor 

Effective Security Rules 

Effective routes 

0 Likes
Reply
hobbssj

‎Jan 06 2021 12:31 PM

‎Jan 06 2021 12:31 PM

Re: question about Route tables and network virtual appliance

@ibnmbodji 

 

Thanks for you reply I attached a diagram 

 

I have not tried the troubleshooting tools. I will try them

0 Likes
Reply
ibnmbodji

‎Jan 06 2021 01:15 PM - edited ‎Jan 06 2021 01:18 PM

‎Jan 06 2021 01:15 PM - edited ‎Jan 06 2021 01:18 PM

Re: question about Route tables and network virtual appliance

@hobbssj 

 

It's more clear   

 

0.0.0.0/0 -----> 10.0.1.5   : Ok you are sending traffic  to the private IP of the Firewall 

but 10.0.0.1.5 have no way to send the traffic to the Internet ( I don't see any public IP attached to this interface ). The Public Facing Subnet should have both private and public . 

 

Can you try to change the  route to this : 0.0.0.0/0 -------->10.0.1.7 and see if in the Host you can see the Internet .  

What is the type of NVA you are using Fortinet Palo Alto  Checkpoint ?  

I've already deployed a fortinet next gen firewall and the issue i faced was similar 

may be there is some specific  guidelines from your vendor .

 

 

0 Likes
Reply
hobbssj

‎Jan 07 2021 07:42 AM

‎Jan 07 2021 07:42 AM

Re: question about Route tables and network virtual appliance

@ibnmbodji 

 

We are using a fortigate Appliance 

 

Out design calls for all internet bound vnet traffic to be routed through the same interface. so the fortigate is using a firewall policy to receive traffic on the 10.0.1.5 interface and and send it out the 10.0.1.7 interface.

 

The 10.0.1.7 interface has a public ip attached to it

 

I have noticed that the traffic is being routed to the internet, it seems that is just not coming back

 

On each attempt I see the same three events in the firewall log 

 

Accept session start

Accept IP Connection Error 

Accept Session timeout 

 

Looking a bit further I see that the error indicates that the gate is not receiving a reply from the started session 

 

ip-conn traffic action in logs (fortinet.com)

 

Any chance this is similar to your issue?

0 Likes
Reply
ibnmbodji

‎Jan 07 2021 10:35 AM - edited ‎Jan 07 2021 10:36 AM

‎Jan 07 2021 10:35 AM - edited ‎Jan 07 2021 10:36 AM

Re: question about Route tables and network virtual appliance

@hobbssj 

 

No it's not the same , this one seems more complex  

 

I think you need to review the doc on network interfaces and routes 

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library

and also the use of public interfaces  

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library

 

Also network watcher can give more inputs in Azure side . 

 

0 Likes
Reply
best response confirmed by hobbssj (Brass Contributor)
hobbssj

‎Jan 18 2021 08:33 AM

‎Jan 18 2021 08:33 AM

Solution

Re: question about Route tables and network virtual appliance

@ibnmbodji 

 

Got this resolved, 

 

the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked. 

 

 

1 Like
Reply
ibnmbodji

‎Jan 18 2021 08:36 AM

‎Jan 18 2021 08:36 AM

Re: question about Route tables and network virtual appliance

@hobbssj 

 

Awsome,  Thanks for the feedback 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by hobbssj (Brass Contributor)
hobbssj

‎Jan 18 2021 08:33 AM

‎Jan 18 2021 08:33 AM

Solution

Re: question about Route tables and network virtual appliance

@ibnmbodji 

 

Got this resolved, 

 

the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked. 

 

 

View solution in original post

1 Like
Reply