topic Re: PA-415 Multiple interfaces into one VLAN in Next-Generation Firewall Discussions

PA-415 Multiple interfaces into one VLAN

jatin_2023 — Fri, 07 Jul 2023 09:44:41 GMT

Hello ALl,

I am hoping somebody can help with my configuration as I seem to be stumbling and hitting a brick wall the whole week.

The firewall is a PA-415 running SW 11.0.0

Ethernet 1/1 is set as a WAN interface.

Ethernet 1/2 = no configuration

Ethernet 1/3 = no configuration

Ethernet 1/4 = 192.168.4.1 / 24 [Set as default LAN, layer 3]

Ethernet 1/5 = no configuration

Ethernet 1/6 to Ethernet 1/9 = VLAN.100, 172.16.15.1/24

When I connect a test laptop to Ethernet 1/4, I am provided with a DHCP IP address from the firewall and can route outbound traffic.

If I connect any test laptop into Ethernet 1/6 -> Ethernet 1/9 I am provided with an DHCP IP address from 172.16.15.15, but I can not route any outbound traffic through WAN ethernet 1/1. I tried tracert and there are no hops to ethernet 1/1. There is no traffic logs either from 172.16.15.x/24

From the web interface I can see the DHCP table showing an IP address allocation to the correct LAN test laptop. There are default NAT and Security Firewall rules in place, as Ethernet 1/4 routes outbound traffic correctly. My assumption from my diagnostics would be the VLAN tag of 100 is not carried through and routed to the next hop to the wan interface. I cant find a support or a knowledge base article on configuring ports on the router a separate LAN with a VLAN Tag.

The reason for using Ethernet 1/6 to Ethernet 1/9 is because these are PoE ports and I need everything connected into the PA-415. Has anybody got product notes, KB articles or ideas how I can run route the VLAN traffic through WAN interface ethernet 1/1?

Thank you

From jatin patel

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Fri, 07 Jul 2023 10:31:15 GMT

Hi there,

Can you confirm what security zones you have configured? Which interfaces are in which zones? Since inter-zone flows are denied by default you may need a explicitly rule to permit VLAN100 out of the WAN interface.

Also, since you have NAT configured on the WAN interfaces does it permit 172.16.15.0/24 as a source address?

You mention the VLAN100 tag, are the devices connected to the PoE ports configured to receive VLAN tags, or do those ports send out the frames untagged? I suspect it is the latter.

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Fri, 07 Jul 2023 11:08:34 GMT

Hello Seb,

Thank you for your reply,

The questions you posed are similiar to a few engineers that tried to fix this setup and even they couldnt understand why its failing, so i am hoping you can help me, 🙂

Security Zone:

Home Network = 172.16.15.x/24

Internet Uplink = WAN Interface Ethernet 1/1

Rule is Any address to any destination from any service. Default as possiable.

Interfaces and Zones:

Ethernet 1/1 = Internet Uplink - Layer 3

Ethernet 1/4 = Test Network Four - Layer 3

Ethernet 1/6 - 1/9 = Test Home network - Layer 2

Zones:

Home network - Layer 3 - Interface VLAN 100

Internet Uplink - Layer 3 - Ethernet 1/1

Test Home Network - Layer 2 - Ethernet ports with sub interfaces....used for testing to fix this issue.

Test Network Four - Layer 3 - Ethernet 1/4 - THIS WORKS.

VLAN 100 on the PoE ports. The ports have untagged set as TAG on the configuration. Only just did I add a sub interface with TAG as set to 100 for testing to see if that fixes the issues.

From Jatin

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Fri, 07 Jul 2023 11:19:46 GMT

Hi there

one thing that appears to be missing from the above is a VLAN interface. You will need to assign this an ID that will match your VLAN object, then place this into 'test network four' security zone. Make sure that any security policy you have for this zone with a destination zone of 'internet uplink' now includes 172.16.15.0/24 as a source subnet (assuming you are not using 'any').

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Fri, 07 Jul 2023 11:23:07 GMT

you may find this discussion useful:
Solved: LIVEcommunity - VLAN Confusion - LIVEcommunity - 537313 (paloaltonetworks.com)

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Fri, 07 Jul 2023 11:35:30 GMT

Hello Seb,

Thank you for the reply,

In my Zones for Home network, in the interface section I already have vlan.100 allocated.

In interface, I have a second line that says vlan .100, with IP address in the 172.16.15.x, with VLAN interface as correct for ethernet 1/6 to ethernet 1/9. This VLAN 100 is linked to the DHCP server and issues correct DHCP addresses.

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Fri, 07 Jul 2023 11:49:01 GMT

OK, sounds good.

Any chance you can share screenshots of the security policy, and NAT setup?

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Fri, 07 Jul 2023 21:29:37 GMT

Hello Seb,

Thank you, ill take some screen shots and send over a word document.

From Jatin

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Sun, 09 Jul 2023 20:47:50 GMT

Hello Seb,

Thank you for the message, I have been through the security rule and NAT rule on the PA-415 firewall and taken a few screen shots to show you. Kindly note the 192.168.4.x network works correctly as an individual port, but since I have created the VLAN with 4 x ports no routing is taken place from the 172.x.x.x address through to the WAN interface.

Can you review the screen shots and provide your feedback please.

Thanks

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Mon, 10 Jul 2023 21:15:07 GMT

Hi there,

Two things that are worth confirming:

Is the gateway IP for the 'Home network' (172.16.15.0/24) correctly configured as the VLAN100 interface IP? Is the netmask correct?
Can you create a management profile with 'ping' allowed and attach it to the VLAN100 interface. Can you confirm that devices in VLAN100 can now ping the local gateway address?

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Mon, 10 Jul 2023 21:39:54 GMT

Hello Seb,

Thank you for checking the screenshots and for sending me your feedback.

The gateway IP address is set to 172.16.15.1/24 which DHCP starts from 172.16.15.14/24 255.255.255.0. The VLAN group is linked to the VLAN interface of VLAN ID 100.

The Managment interface is on a 192.168.1.x subnet. This was my original setup, I can change this to a 172.16.15.x subnet.

From a managment profile, ill create the new setup and allow ping and test connection to the VLAN interface 100 and the IP address gateway.

Is there a way I can send you a backup of the configuration, or a zoom call or a teams call.

From jatin

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Mon, 10 Jul 2023 23:03:54 GMT

Hi there,

If you like, create a named snapshot and export it. You should be able to send it as an attachement in a private message on this forum if you like.

If I find the solution I'll share it via this post.

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Tue, 11 Jul 2023 09:31:37 GMT

Hello Seb, thank you for the message,

I powered down the firewall last night and looks like their may be an issue on the unit as per the red warning lights. See screen shot. I cant get ping or access the web interface. I think I may have to reset the whole unit, which means ill loose my configuration on the firewall.

Regarding the issue on the VLAN, have you replicated my issues or built a similiar type of network or have a document I can follow?

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Wed, 12 Jul 2023 08:36:58 GMT

OK, so I made this topology, Layer3 WAN interface, Eth1/4-7 Layer2 interfaces, VLAN100 SVI.

Here's the config...

Interface config:

set network interface ethernet ethernet1/1 layer3 ip 10.0.0.2/30 set network interface vlan units vlan.100 ip 172.16.15.1/24 set network interface vlan units vlan.100 comment "Home Network" set network vlan home_network virtual-interface interface vlan.100 set network vlan home_network interface [ ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ] set network virtual-router default interface [ vlan.100 ethernet1/1 ]

Routing:

set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default enable yes set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default source 10.0.0.2/30 set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default destination 10.0.0.1 set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default interval 3 set network virtual-router default routing-table ip static-route default path-monitor monitor-destinations default count 5 set network virtual-router default routing-table ip static-route default path-monitor enable yes set network virtual-router default routing-table ip static-route default path-monitor failure-condition any set network virtual-router default routing-table ip static-route default path-monitor hold-time 2 set network virtual-router default routing-table ip static-route default nexthop ip-address 10.0.0.1 set network virtual-router default routing-table ip static-route default bfd profile None set network virtual-router default routing-table ip static-route default interface ethernet1/1 set network virtual-router default routing-table ip static-route default metric 10 set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0

DHCP config:

set network dhcp interface vlan.100 server option dns primary 1.1.1.1 set network dhcp interface vlan.100 server option lease unlimited set network dhcp interface vlan.100 server option gateway 172.16.15.1 set network dhcp interface vlan.100 server option subnet-mask 255.255.255.0 set network dhcp interface vlan.100 server ip-pool 172.16.15.14-172.16.15.254 set network dhcp interface vlan.100 server mode enabled

Security zone setup:

set zone home_network network layer3 vlan.100 set zone internet_uplink network layer3 ethernet1/1 set zone home_network_l2 network layer2 [ ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ]

Security poilcy:

set rulebase security rules home_network-outbound to internet_uplink set rulebase security rules home_network-outbound from home_network set rulebase security rules home_network-outbound source 172.16.15.0/24 set rulebase security rules home_network-outbound destination any set rulebase security rules home_network-outbound source-user any set rulebase security rules home_network-outbound category any set rulebase security rules home_network-outbound application any set rulebase security rules home_network-outbound service application-default set rulebase security rules home_network-outbound source-hip any set rulebase security rules home_network-outbound destination-hip any set rulebase security rules home_network-outbound action allow

NAT policy:

set rulebase nat rules home_network_nat source-translation dynamic-ip-and-port translated-address 10.0.0.2 set rulebase nat rules home_network_nat to internet_uplink set rulebase nat rules home_network_nat from home_network set rulebase nat rules home_network_nat source any set rulebase nat rules home_network_nat destination any set rulebase nat rules home_network_nat service any

VPC2 and VPC3 successfully ping VPC host out on the WAN:

VPC3 and also ping VPC2 on the VLAN:

...obviously change the WAN Eth1/1 IP and all references to suit your own topology.

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Wed, 12 Jul 2023 00:47:41 GMT

Hello Seb,

Thank you for your assistanc and helpfull points, I have just rebuilt the configuration using the notes provided.

Question:
Previously I had a static route, to force all traffic destinated to the wan IP address has to route through WAN Internet ethernet 1/1. In your configuration I noticed there is mention. May I ask why is that.

Also, ill test the new configuration in the morning when i had back to my test lab office.

From Jatin

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Wed, 12 Jul 2023 08:34:48 GMT

Good spot. since I was only trying to reach that VPC host which was on the other end of the connect WAN subnet I forgot to add a default route. I'll add it to the post above for the sake of completion.

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Wed, 12 Jul 2023 08:38:57 GMT

Hello Seb,

Hi, just a short note this time, I saw this yesterday evening, and tried again this morning, the error message is confusing. All the IP address are standard /24, so not sure where and how this rule has occured.

Any thoughts.

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Wed, 12 Jul 2023 09:30:34 GMT

hmmm, what is the output of:

show running nat-policy

...also what is the SKU of the firewall you are configuring?

Re: PA-415 Multiple interfaces into one VLAN

seb_rupik — Wed, 12 Jul 2023 09:38:42 GMT

I think I see what you have done.... in the NAT rule, make sure the 'translated address' does not include a CIDR, instead have just the interface IP: 10.0.0.2

cheers,

Seb.

Re: PA-415 Multiple interfaces into one VLAN

jatin_2023 — Wed, 12 Jul 2023 10:06:24 GMT

Hello Seb,

Thank you for the message, after investigation, Strange one here, if the DHCP server has the options enabled with the subnet mask, this setting conflicts with the objects if you have a prefix / 24.

i have fixed it, the DHCP server issues out IP addresses correctly, but the NAT rule was not aware of the subnet mask. So I deleted the NAT rule, then edited the objects with the / prefix and the commit passed.

Yes your right, there seems to be an issue when using the object instead of the manual entry.

I find the web interface sensitive when using objects of manual entries.

Once I sort out this IP address and its passed, i'll figure a way to test the connections.