Jan 06 2021 05:26 AM - edited Jan 06 2021 12:13 PM
I'm setting up routing in Azure using a Network Virtual Appliance firewall.
I have all of the routing working to and from the virtual gateway to on perm, however I am struggling to configure the Routing to the internet for azure internal hosts.
The internal host and firewall are each in their own subnets. 10.0.7.0/24 and 10.0.1.0/24 respectively.
All the NIC's associated with the firewall have forwarding enabled in Azure and port 4 has a public IP assigned. There are no NSG’s in place.
The internal host subnet route table has a route for 0.0.0.0/0 with a destination of the firewall interface on port 2 (10.0.1.5)
The firewall has a route for 0.0.0.0/0 to its gateway 10.0.1.1 via port 4 (10.0.1.7) and a route for 10.0.7.0/24 to its gateway 10.0.1.1 via port 2
The firewall also has a policy allowing traffic on 10.0.1.5 and nating it out port 4
I can see that the firewall is receiving and allowing the traffic to the internet however, there is still no internet connectivity on the internal host.
I’m wondering the firewall subnet need a route table, however I cannot figure out what routes I would configure without looping the traffic.
Thoughts?
Jan 06 2021 11:27 AM
Hi i think you need to draw a diagram so we can see all the flows and try to identify what's wrong . By the way have you tried the native network troubleshooting tools :
IP Flow Verify
Connection Monitor
Effective Security Rules
Effective routes
Jan 06 2021 12:31 PM
Thanks for you reply I attached a diagram
I have not tried the troubleshooting tools. I will try them
Jan 06 2021 01:15 PM - edited Jan 06 2021 01:18 PM
It's more clear
0.0.0.0/0 -----> 10.0.1.5 : Ok you are sending traffic to the private IP of the Firewall
but 10.0.0.1.5 have no way to send the traffic to the Internet ( I don't see any public IP attached to this interface ). The Public Facing Subnet should have both private and public .
Can you try to change the route to this : 0.0.0.0/0 -------->10.0.1.7 and see if in the Host you can see the Internet .
What is the type of NVA you are using Fortinet Palo Alto Checkpoint ?
I've already deployed a fortinet next gen firewall and the issue i faced was similar
may be there is some specific guidelines from your vendor .
Jan 07 2021 07:42 AM
We are using a fortigate Appliance
Out design calls for all internet bound vnet traffic to be routed through the same interface. so the fortigate is using a firewall policy to receive traffic on the 10.0.1.5 interface and and send it out the 10.0.1.7 interface.
The 10.0.1.7 interface has a public ip attached to it
I have noticed that the traffic is being routed to the internet, it seems that is just not coming back
On each attempt I see the same three events in the firewall log
Accept session start
Accept IP Connection Error
Accept Session timeout
Looking a bit further I see that the error indicates that the gate is not receiving a reply from the started session
ip-conn traffic action in logs (fortinet.com)
Any chance this is similar to your issue?
Jan 07 2021 10:35 AM - edited Jan 07 2021 10:36 AM
No it's not the same , this one seems more complex
I think you need to review the doc on network interfaces and routes
Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library
and also the use of public interfaces
Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library
Also network watcher can give more inputs in Azure side .
Jan 18 2021 08:33 AM
Solution
Got this resolved,
the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked.
Jan 18 2021 08:36 AM
Jan 18 2021 08:33 AM
Solution
Got this resolved,
the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked.