topic Two WAN Ports on one Switch. Split of physical VPN and Internet port. in General Topics

Two WAN Ports on one Switch. Split of physical VPN and Internet port.

AndreGoebel — Tue, 25 Jun 2024 12:14:42 GMT

Hello,

I hope theres someone here who´s more capeable than me for my problem 🙂
I searched the forum and the documentations for quite a while but i cant figure it out.

Current Situation:

All incoming traffic gets sourced through port eth1/7 with the zone 'Untrust' and all other IPs ( XXX/29) provided from our ISP are handled via loopbacks also situated in 'Untrust'.

Final Setup:
We try to split now GlobalProtect and Ike gateways on a different physical cable eth1/2 zone: 'VPN-Gate'. Both ports are on the same switch in the same VLAN called 'WAN' as the ISPs connection is as well.

The second we activated the physical cable connection eth1/2 some of our incoming webtraffic was sorted into the new zone ' VPN-Gate' instead in the usual 'Untrust' zone.

Configwise theres just the IP of the physical interface and the GlobalProtect-Gateway IP as loopback in the Zone 'VPN-Gate'. All other IPs are bound to 'Untrust'.

Why does the palo decide that some of the traffic ment for an IP, not bound to the 'VPN-Gate' Zone needs to be sorted into 'VPN-Gate'.

Re: Two WAN Ports on one Switch. Split of physical VPN and Internet port.

BPry — Tue, 25 Jun 2024 20:22:51 GMT

@AndreGoebel,

The switch is sending some of the traffic to the interface that you aren't expecting. You may need to setup actual routes on your switch to ensure that traffic you expect on ethernet1/7 doesn't present itself on ethernet1/2.

Re: Two WAN Ports on one Switch. Split of physical VPN and Internet port.

AndreGoebel — Wed, 26 Jun 2024 06:09:21 GMT

Thank you for your input.
I did not consider our switch as point of failure. As the switch we are using right now, is a layer 2 switch, routing wont be an option at this moment.
So i might be stuck with the one cable solution for now.