topic Passing a Circuit Prefix Through Palo Firewall in General Topics

Passing a Circuit Prefix Through Palo Firewall

TroyAbbott — Wed, 11 May 2022 17:39:52 GMT

I'll do my best to put this question into words.

My company owns a /24 Public IP range. I have an engineering department that needs a /29 IP space off of that block for their Lab Environment.
I have a Juniper MX104 Router and a Palo 5220 Firewall.

I'm not sure what my best steps are to get this circuit passed through the Firewall straight to the Lab environment (and Palo support is extremely slow at the moment).

1. On the Juniper Router I have a Logical Interface created irb.312 which is using the first available IP in the /29 range.
2. On the Juniper Router I have a Physical interface created to be a bridge interface using vlan-id 312
3. The Lab has an SRX that is setup to use the second available IP in the /29 range.

What are my best steps on the Palo? I was hoping a Virtual Wire would work, but the interface goes straight to down when I configure it as a Virtual Wire interface. I am hoping I don't need to create a Layer 3 interface on the Palo as I don't want to use anymore of the IPs available in the /29 (since the Edge Router and the Lab SRX are both using an IP in that /29 range already).

In terms of "topology", we do want the traffic to pass through our Palo since that is what our Network Team manages. The Lab Firewall is not managed by us, so we don't want to bypass our own Firewall. If that makes sense?

Any input would be appreciated!
Thank you.

Re: Passing a Circuit Prefix Through Palo Firewall

Y-alwaysMe — Wed, 11 May 2022 21:02:18 GMT

Hi Troy,

How about if rather than configuring the /29 on the router int, what if you route the /29 toward the Palo and the configure /29 one int on PA and one SRX?

Router <> route n.n.n.n/29 > PA <int>/29 <int>/29SRx

Re: Passing a Circuit Prefix Through Palo Firewall

Adrian_Jensen — Wed, 11 May 2022 22:49:01 GMT

Instead of assigning IPs on the MX and PA within the /29 block that you want to use behind the firewall, could you just route the entire /24 to the PA, and then route the /29 to the SRX? From your description I am assuming you are BGP announcing the /24 from the MX104?

Setup a private inter-network range between the MX104 and the PA (say, 198.18.x.x/30) and route the /24 to the PA. On the PA assign the public IPs you want to use locally to a loopback interface as /32s. Then use another 198.18.x.x/30 to route the /29 to the LAB SRX behind the PA. Advantages: you don't have use the publics for routing, can put a suballocation for third party devices on a DMZ interface, can send suballocations to different routers behind the PA, and can pick off individual IPs to use on the PA. Disadvantages: if your DMZ is already using IPs scattered across a fixed /24 subnet, subdividing gets messy.

Re: Passing a Circuit Prefix Through Palo Firewall

TroyAbbott — Mon, 16 May 2022 15:10:45 GMT

Thank you very much for the quick response to this. It provided extremely helpful steps in my troubleshooting process!

I ended up getting the Palo Alto Virtual Wire to work out in this scenario so I didn't have to set up too many routes.

But again, thank you!