Connections through Palo Alto FW

Just looking for some advice here - we use Palo Alto firewalls exclusively on premises with Azure based resources that we are allowing access to through Twingate. Everything works amazingly well except that any on premises based connection will always go through a relay even though we are not double NAT’ed or have CGNAT etc. The Palo Altos are the nonfriendly NAT device since once users are off our network, they can initate direct connections to Azure in most circumstances.

Not a problem operationally, however we are based in Toronto and have very low ping times to Azure but Twingate relays are not based in Canada so our traffic routes through Chicago or elsewhere and we get 60-80ms latency on Twingate. Also, we are using a relay and it would be preferable to get direct connections if we can. Incidentally, if I set up a wireguard VPN behind the firewall to Azure, my ping times are in the 10ms range so the Palo Altos seem to like this traffic.

Any suggestions from the community or workarounds that work with other firewall vendors that I might be able to look into?

Hi @Opthamolo_IT, could you share what version of Palo Alto you are currently using? We may have some recommendations depending on that.

Do make sure that the following prerequisites are met: Endpoint Requirements | Docs

Hi @Opthamolo_IT!!! Great to meet you.

To resolve this, in the PAN-OS software create a NAT policy rule with Translation Type set to Static IP , instead of the default setting Dynamic IP And Port . This helps Twingate Connectors figure out how to get packets through the NAT and establish direct connections.

Cool - yeah, I’m definitely using Dynamic IP/Port for NAT! I’ll switch it over and let you know how I make out!

Excellent!!! Keep us posted on your results.

If that makes a difference, you can always build a policy that just applies to the Connectors instead of all outbound traffic.

Works like a charm! I already had a separate subnet/zone for all the Twingate stuff so it was really easy to setup a DMZ with static NAT and apply all the proper policies. I should have thought of this myself but I was overthinking it! Anyway, almost everything is peer-to-peer now except for failover to Cellular which is OK since that is double NATed and we shouldn’t be in failover mode for very long. I should mention - building a failover solution to Azure on Twingate is an absolute dream - it’s dead easy - no need for BGP etc - it’s quick to failover; we lose about 3-5 pings (really, it’s the firewall determining if it should remove the default route that takes the most time) and it JUST WORKS. Amazing stuff.

This is great to hear, and I am so glad you are liking working with our product.

I would love to learn more about your failover solution. Maybe after the new year we can meet and discuss???

Absolutely!

(one last thing - could you get PA to recognize the twingate UDP protocol as an app - that would allow PA users to really tighten down the rules! Right now, it’s seen as ‘unknown-udp’)

Thanks for all of your help - much appreciated!

I am sure we can ask, not sure how willing PA will be to do that.