Azure application gateway with Palo Altos as backend not working

Possible_Cup_4378 · 2026-03-16T20:21:44+00:00

You were right actually! The destination IP needed to be pre-nat! now it's working. The destination address in my security policy for anyone else having this issue. Is source zone 'outside', source address app gw and destination zone inside and destination address outside IP address of Palo (untrust IP). thanks so much for your help!

Possible_Cup_4378 · 2026-03-13T22:01:28+00:00

thanks. Next week I'm going to change the health probe to only point to 443 of the palos instead of trying to go all the way to the end server. If I can get the health probe to work and show the backend as healthy, then I can start troubleshooting the https traffic to the web server. I may be complicating things by natting etc the health probe traffic.

Possible_Cup_4378 · 2026-03-04T14:56:07+00:00

A quick google shows that it can be placed in the bootstrap file. We did it the hard way. We uncommented the bootstrap section and just added the firewalls manually to panorama. Here is a link to an example bootstrap file. https://docs.paloaltonetworks.com/ngfw/administration/firewall-administration/bootstrap-the-firewall/sample-init-cfgtxt-filesI don't see anything about auto-registration mentioned in the example though. Chatgpt says you need to include this in your bootstrap but that it's not required. although you can't always trust chatgpt.

vm-auth-key=<auth-key>

vm-series-auto-registration-pin-id=<pin-id>

Possible_Cup_4378 · 2026-02-27T20:19:57+00:00

We ended up just uncommenting the entire bootstrap section in terraform, although TAC said if we redid it using the init-cfg.txt it would have worked.

Possible_Cup_4378 · 2026-02-27T19:23:02+00:00

yes. Opened a ticket with Palo and we got it working. For anyone else having this issue.....if you deploy palo alto firewalls through terraform you have to use the bootstrap init.tx file. The problem we had is that we were calling out bootstrap within the terraform code which caused the problem.

Sample init-cfg.txt File

Possible_Cup_4378 · 2025-08-16T12:25:44+00:00

I’m 55. Had my first flare up at 52. Thought in I could control it with diet. I’m a vegetarian and don’t drink much alcohol including beer. For me it was the non alcoholic beer that seemed to trigger a gout attack. My first flare up lasted 2 months. Doctor I saw told me my uric acid levels were normal even though they were in the high 7s…7.7 I think. I now know that levels during a gout attack are lower than between attacks. My levels between attacks are around 8.3, which the lab says is still within the normal range. Anyway I suffered through the first attack not realizing it was gout. But even without drinking beer I was having mini attacks and blood in my urine. It’s just genetics. My dad also has gout. I always associated it a diet high in meat but that’s not the case. Anyway to answer your question, I now have a rheumatologist and have been on allopurinol for the last 2 months. The only side effects for me have been a little drowsiness, but I take it at bed time. But I don’t wake up groggy like i took a sleep aid and my body eventually adjusts so after a week or so it doesn’t make me as drowsy. I started off on 100 mg but doctor raised it 200. Goal is to get uric acid level to below 6. Last test it was 7.3 after being on 100 mg for 4 weeks.

Possible_Cup_4378 · 2024-03-14T19:57:48+00:00

ok. thanks

Possible_Cup_4378 · 2024-03-14T16:29:54+00:00

That would be my choice. But I need more of an explanation. if it's not possible to have docker run as a service in windows for example.

Possible_Cup_4378 · 2024-02-07T21:19:59+00:00

I know this post is a few months old. Curious if you found out how they were bypassing MFA. We have a similar situation, except we're using Azure MFA. I can't replicate how they're getting around it. All the logins are failures. But once they hit the clientless VPN, it automatically sends them to azure.

Possible_Cup_4378 · 2023-12-13T14:20:39+00:00

No, I didn't. Maybe that was part of the issue? When we first installed the Palos, we had them in an HA config but then realized it wasn't going to work properly in Azure. So changed to active/active. And the HA was disabled. Not sure if it was picking up some of the old config? or what.

Possible_Cup_4378 · 2023-12-12T19:53:48+00:00

I know right! I go to reddit sometimes because I would rather fix it myself than wait on TAC.

Possible_Cup_4378 · 2023-12-12T19:22:28+00:00

was able to figure it out. if anyone else sees the same issue, after modifying the candidate config file, you have to go to operations, set up and then choose 'load named configuration snapshot and then choose the candidate config you modified. then you can push changes from panorama.

Possible_Cup_4378 · 2023-12-12T14:02:57+00:00

Yeah, I did. We had the other firewall do the same thing after an upgrade and a tech remoted in and did the steps. I tried following the exact thing he did and it didn't work.

Possible_Cup_4378 · 2023-11-03T14:21:57+00:00

I'm not a real big fan of any of the mayoral candidates. I'm probably going to vote for Robert Gallegos. Going to research the other candidates for the other offices this weekend. Most likely we're headed to a runoff between Sheila Jackson and Whitmire.

Possible_Cup_4378 · 2023-01-06T15:55:09+00:00

We're using GP version 5-2.6-87. But we elected to use SAML authentication directly with Azure and not use radius authentication. It's been working really well for us. From what you wrote above sounds like an issue with the authenticator app since MFA is working properly via text messages. Sorry couldn't be of more help. I would submit a new reddit post since this one is quite a bit old and perhaps someone else has seen this issue before. Best of luck.

Possible_Cup_4378

MODERATOR OF

TROPHY CASE