topic Re: Are Virtual Routers required? in General Topics

Are Virtual Routers required?

Nhussain — Tue, 23 Aug 2022 19:33:41 GMT

I am working with a customer whereby the requirements are to split different traffic by different interfaces. Its an internal firewall and will not route internet traffic

1x Interface for East/West/North/South traffic

1x Interface for communications to Panorama

1x Interface for any communication to internet targets the firewall needs(NTP/License Check)

If we want to achieve this flow would we have to use Virtual Routers for the East/West/North/South. Are there any good articles for Multi-Interface setup of Palo alto? I know that is is against best practice however this is the requirements the customer has.

Re: Are Virtual Routers required?

PavelK — Tue, 23 Aug 2022 21:46:57 GMT

Hello @Nhussain

by default a Firewall is using management interface for this communication: Panorama and NTP/License Check

If you want to change that behavior, you can configure it by using service route. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0 From service route setting you can separate Panorama/Panorama Log Forwarding to use one dedicated data plane interface and for NTP and Palo Alto Networks Services (I think this one is used for license check) to use different dedicated data plane interface. Any other data plane interface will be used for East/West/North/South traffic depending on your configuration.

If you want to further separate data plane interfaces, you can create 2 Virtual Routes. One where you assign interfaces for East/West/North/South traffic and another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication.

Kind Regards

Pavel

Re: Are Virtual Routers required?

Nhussain — Wed, 24 Aug 2022 07:32:42 GMT

Thank you for your response.

So this article suggests it is possible https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

however once you implement virtual routers this no longer is possible. That is correct?

"another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication."

In this setup we move from using 2x interfaces to one interface for management? Is it not possible when using virtual routers to route the internet traffic(NTP) to a different interface and Panorama traffic to a different interface?

Re: Are Virtual Routers required?

PavelK — Thu, 25 Aug 2022 04:36:45 GMT

Hello @Nhussain

thank you for reply.

I did basic verification in Lab Firewall and the answer is yes to both. It is possible to assign different interfaces to different VRs and still use them as a service routes:

Kind Regards

Pavel