question about Route tables and network virtual appliance

Brass Contributor

I'm setting up routing in Azure using a Network Virtual Appliance firewall. 


I have all of the routing working to and from the virtual gateway to on perm, however I am struggling to configure the Routing to the internet for azure internal hosts.


The internal host and firewall are each in their own subnets. and respectively. 


All the NIC's associated with the firewall have forwarding enabled in Azure and port 4 has a public IP assigned. There are no NSG’s in place.


The internal host subnet route table has a route for with a destination of the firewall interface on port 2 (


The firewall has a route for to its gateway via port 4 ( and a route for to its gateway via port 2  

The firewall also has a policy allowing traffic on and nating it out port 4 


I can see that the firewall is receiving and allowing the traffic to the internet however, there is still no internet connectivity on the internal host.

I’m wondering the firewall subnet need a route table, however I cannot figure out what routes I would  configure without looping the traffic.







7 Replies

Hi i think you need to draw a diagram so we can see all the flows and try to identify what's wrong . By the way have you tried  the native network troubleshooting tools : 


IP Flow Verify 

Connection Monitor 

Effective Security Rules 

Effective routes 



Thanks for you reply I attached a diagram 


I have not tried the troubleshooting tools. I will try them



It's more clear ----->   : Ok you are sending traffic  to the private IP of the Firewall 

but have no way to send the traffic to the Internet ( I don't see any public IP attached to this interface ). The Public Facing Subnet should have both private and public . 


Can you try to change the  route to this : --------> and see if in the Host you can see the Internet .  

What is the type of NVA you are using Fortinet Palo Alto  Checkpoint ?  

I've already deployed a fortinet next gen firewall and the issue i faced was similar 

may be there is some specific  guidelines from your vendor .





We are using a fortigate Appliance 


Out design calls for all internet bound vnet traffic to be routed through the same interface. so the fortigate is using a firewall policy to receive traffic on the interface and and send it out the interface.


The interface has a public ip attached to it


I have noticed that the traffic is being routed to the internet, it seems that is just not coming back


On each attempt I see the same three events in the firewall log 


Accept session start

Accept IP Connection Error 

Accept Session timeout 


Looking a bit further I see that the error indicates that the gate is not receiving a reply from the started session 


ip-conn traffic action in logs (


Any chance this is similar to your issue?



No it's not the same , this one seems more complex  


I think you need to review the doc on network interfaces and routes 

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library

and also the use of public interfaces  

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library


Also network watcher can give more inputs in Azure side . 


best response confirmed by hobbssj (Brass Contributor)



Got this resolved, 


the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked. 





Awsome,  Thanks for the feedback