topic icmp redirect support in General Topics

icmp redirect support

glebon — Thu, 18 Jul 2013 15:07:16 GMT

Hello,

simple question:

Does PA devices send / support icmp redirect ?

Use case:

PA device is the default GW for local LAN subnet (A).

PA device has a route to an another subnet (B). The next hop is on his LAN Interface.

Local Clients devices has only a default GW to PA LAN Interface.

From my understanding and some tests:

PA device does not send ICMP redirect to Local Clients when they try to reach another subnet (B).

icmp echo / reply are OK but other type of communications fall with strange behavior on monitor. Traffic form local subnet are seen from his outside interface (not the lan) with destination NAT etc... Traffic seems to "loop" on the PA device.

If The local Client have a static route for B subnet everything is ok.

Thanks in advance.

Best regards.

Guillaume

Re: cimp redirect support

VinceM — Thu, 18 Jul 2013 16:36:42 GMT

Hi,

Exact, no icmp redirect in the palo.

But if yo just want your laptop be able to access to subnet B, two cases:

Subnet B is connected to another Palo's interface then just need security rle for allowing traffic from Zone-Sub-A to Zone-Sub-B

Subnet B is not connected, then need same thing plus a route in your Vrouter.

Make sense ?

Re: cimp redirect support

glebon — Fri, 19 Jul 2013 06:47:57 GMT

Thanks you for your time.

In fact Subnet B is a remote location.

Connectivity to branch offices (like B) pass through a router provided by an ISP which has an interface on local subnet A (the next hop used on the vr of the PA).

With static route on the host on subnet A it works but for admin purpose it is not optimal.

Guillaume

Re: cimp redirect support

VinceM — Fri, 19 Jul 2013 09:51:52 GMT

Static route not on the host but on the Palo 🙂

Or if you've got time, configured dynamic routing like OSPF 🙂