Palo Alto VM Series Firewall with Azure Virtual WAN Hub

Question

Hey all. I am looking to leverage a PaloAlto VM Series firewall to secure an ExpressRoute circuit. Because a PaloAlto cannot be directly integrated with a Virtual WAN hub, I need a workaround. I would like to avoid using peering if possible as the client is already using VirtualWAN to interconnect spokes and common services.

The plan
The current plan which has not been successful thus far is the following...

1. Attach the Express Route Circuit to the VirtualWAN Hub
2. Create a VNet for the PaloAlto to live with 3 subnets (mgmt, trust, and untrust)
3. Propagate a spoke route to forward all traffic destined for sd-wan subnets to the PA un-trusted interface ip in the untrusted subnet.
4. Have the PA Filter traffic appropriately.
5. Forward the traffic to the trusted interface in the trusted subnet which will have a route to forward all traffic destined for sd-wan subnets. Traffic flows back into vWAN and throught the ER.

The reverse process would be similar.

Current Configuration

1. PaloAlto deployed in PA Vnet with three subnets.
2. PA Vnet is attached to the vWAN hub.
3. Rule propagated to spoke vnets to send all 10.0.0.0/8 traffic to the ip address of the PA untrusted interface in the PA vnet.
4. PA vNet had None route table propagating and None route table associating from the hub.
5. Trusted subnet route table has a route forwarding all 10.0.0.0/8 traffic to the hub.

Problem

1. As soon as I associate a route (10.0.0.0/8 to palo vnet) to the spokes, I can ping a gateway located in one of the SD WAN subnets.
2. The traffic bypasses the Palo Alto all together and instead just goes right through the hub.
3. This does not happen until I add the route to the PA vNet
4. All spoke subnets are not propagating or associating the hub default route table. Instead they have separate route tables that forward only traffic destined for other spoke subnets.

I am not sure if the proposed way is the best way to do this, but it seems like the most efficient if it can be made to work. That being said, if anyone had ever encountered this scenario before or has advise, please share. Thanks.

Answer 1

Typically in this situation, you will want to find architecture guidance from Palo Alto.

From what I could find, the advice from Palo Alto is to put a firewall device in every VNET and have them pull the same rule configurations.

Azure Firewall can integrate directly with the Hub VNET, but unfortunately this functionality is not available with a Palo Alto firewall.

Here is a doc that describes routing traffic through an NVA when staying inside the Network. It might help give guidance.