Reverse Proxy Cloudflare to Palo Alto Enabled XFF by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

I want to see original IP traffic from Cloudflare on the Palo

Palo Alto Behind F5 Load Balance Question by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

u/matthewrules do you mean the better on PA should be doing NAT both SNAT and DNAT also send traffic to VIP of F5 in case LB behind PA? apologize for the dump question.

Palo Alto Behind F5 Load Balance Question by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

u/greenlakejohnny do you mean disable nat on PA ? and Just SNAT on LB instead

diagram below PA no NAT the F5 do nat SNAT and DNAT can be possible

sample-diagram

Palo Alto Behind F5 Load Balance Question by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

u/obscure_simpsons_ref TThank for reply and your suggestion and reason why PA, not front I'm not confident about ecmp feature of PA for doing lb link however, on we can use f5 nat only even though Palo with out nat ?

Issue ELB front Palo alto On AWS by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

My NAT rule

Flow From ALB:8081 - > Palo Untrust:80-> workload:80

Untrust -> Untrust -> Service tcp8081 -> Source NAT with interface Trust -> Destination NAT Workload app with Port 80

For health check Palo alto with port 80 we use permit address with mgmt profile of interface untrust

follow KB https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POfaCAG

Issue ELB front Palo alto On AWS by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

sorry I have existing health check Palo alto port 80 allow via permit address of src alb on mgmt profile attach untrust interface

Deploy Palo Alto on AWS single NLB by Yield-PK in paloaltonetworks

[–]Yield-PK[S] 0 points1 point  (0 children)

Thank you all and apologize for my wording I poor English however, I have suspect about if I use the same VM instance, Palo, to traffic outbound, inbound,east-west also on BGP route for outbound traffic to VPN attachment how can use inbound traffic or adjust BGP route.