https://live.paloaltonetworks.com/t5/next-generation-firewall/migrating-to-multi-vsys-environment/m-p/591421#M3401 <P>1. The shared gateway is indeed a very simplified way of providing internet access to multiple VSYS (MSP model). BGP will work, but getting anything 'fancy' to work may be a pain</P> <P>2. yes, you've offloaded internet access to the SGW so all NAT (that is related to the internet) needs to happen there</P> <P>3. you do indeed lose granular control in favor of a shared gateway</P> <P>&nbsp;</P> <P>in most cases i've used just another vsys instead of a shared gateway to accomplish what you're trying to set up. it allows for more control in exchange for a little more configuration.</P> Tue, 09 Jul 2024 08:30:56 GMT reaper 2024-07-09T08:30:56Z https://live.paloaltonetworks.com/t5/next-generation-firewall/migrating-to-multi-vsys-environment/m-p/591371#M3400 <P>We recently decided to migrate to a multi-vsys environment for two of our data centers.&nbsp; The main reason for this is the shared gateway feature.&nbsp; We are starting to do a lot of disaster recovery planning, and need a segmented environment (with overlapping IPs), that can also share the internet connectivity.&nbsp; We were just using virtual routers to segment, but that didn't give us the internet connectivity.</P> <P>&nbsp;</P> <P>So... that being said, I've started my research and testing, and have some concerns/questions:</P> <P>&nbsp;</P> <P>#1 - Regarding the shared gateway - most of the examples online that I see reference a more simple architecture with a basic internet connection.&nbsp; We have multiple internet connections, and use BGP for routing.&nbsp; Are there any special considerations here around this design?&nbsp; And in general, BGP... any docs or KB articles anyone is familar with around this?</P> <P>&nbsp;</P> <P>#2 - I've read that all of your NAT rules need to exist in the shared gateway, is this accurate?&nbsp; Just curious if anyone has designed this differently.</P> <P>&nbsp;</P> <P>#3 - We have a few (not many) policy based forwarding rules that we would actually use to send a particular type of traffic to a particular internet circuit.&nbsp; But now with all internet connectivity being in the shared gateway, would my pbfs just point to the shared gateway?&nbsp; Seems like I lose the granularity of picking a specific circuit.&nbsp; Or should I be setting up multiple shared gateways?</P> <P>&nbsp;</P> <P>Overall I like the concept of the shared gateway, but I think this would be much easier to accomplish all of this in a greenfield environment.&nbsp; I've got two active data centers that will be getting migrated, and trying to avoid any "gotchas" if you know what I mean.</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 08 Jul 2024 17:36:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/migrating-to-multi-vsys-environment/m-p/591371#M3400 buck1 2024-07-08T17:36:00Z https://live.paloaltonetworks.com/t5/next-generation-firewall/migrating-to-multi-vsys-environment/m-p/591421#M3401 <P>1. The shared gateway is indeed a very simplified way of providing internet access to multiple VSYS (MSP model). BGP will work, but getting anything 'fancy' to work may be a pain</P> <P>2. yes, you've offloaded internet access to the SGW so all NAT (that is related to the internet) needs to happen there</P> <P>3. you do indeed lose granular control in favor of a shared gateway</P> <P>&nbsp;</P> <P>in most cases i've used just another vsys instead of a shared gateway to accomplish what you're trying to set up. it allows for more control in exchange for a little more configuration.</P> Tue, 09 Jul 2024 08:30:56 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/migrating-to-multi-vsys-environment/m-p/591421#M3401 reaper 2024-07-09T08:30:56Z