topic Re: Routing between Virtual systems in General Topics

Routing between Virtual systems

binhnt — Wed, 10 Apr 2013 07:22:14 GMT

Hi all,

I have 4 virtual systems and have 2 requirements:

1. That VSYSs must go to internet by difference lines (we have 4 WAN lines)

2. That VSYSs can communicate with other VSYS.

I assign 4 Virtual routers for that VSYSs and resolve the requirement 1

But I cant do route between virtual systems

Can anyone help?

Thanks.

Binh.

Re: Routing between Virtual systems

apasupulati — Wed, 10 Apr 2013 16:11:41 GMT

Hello,

Have you referred to this document about inter-vsys communication, see:

How to Set Up Shared Gateway and Inter VSYS

Hope that helps,

Aditi

Re: Routing between Virtual systems

binhnt — Thu, 11 Apr 2013 02:57:13 GMT

Hi Aditi,

Thanks for your reply, but, in that document, all VSYSs use the same Virtual router.

My case is: VSYS-A uses VR-A, VSYS-B uses VR-B and I have done with inter VR-routing. We need to create a static route with next hop is: VR.

Example:

VSYS-A has subnet: 172.16.1.0/24

VSYS-B has subnet: 172.16.2.0/24

User A: 172.16.1.2/24 want to connect to User B: 172.16.2.2/24

Create a static route in VR-A with destination: 172.16.2.0/24, next hop: VR-B

And then create: external zone, policies, ...to allow traffic.

Regards,

Binh.

Re: Routing between Virtual systems

craymond — Fri, 12 Apr 2013 14:37:30 GMT

Essentially you are creating 4 separate Firewalls when you create separate VRs and VSYS'. There is another post that has some suggestions to your question in https://live.paloaltonetworks.com/message/4430#4430. Specifically -

8. Re: Routing between virtual systems

PThomas Oct 14, 2011 5:23 PM (in response to KMacnaughton)

Nick,

Version 4 now allows you to configure statics routes that you can nominate a Virtual Router (VR) as the next hop!!!

This new 4.x function allowed me remove the physical cable that join the VRs is seperate Virtual System (VS) and move back to just virtual routers in a single VS.

My real base requirement is for multiple VRs to handle multiple Internet connections (8 in total). Internal networks with their own ISP link but then they decided they want to share each others printers so the ffirewall needed to allow comms between them.

The reason for employing VSs in the first place was because I found the policy engine could not track the connection properly (looping back through the physical cable to join VRs) unless I placed the virtual routers in different VSs. That is to say connecting virtual routers together using a physical cable did not work if the VRs were in the same VS. Put them in different VMs and everything worked fine.

I have successfully used the new static routing to route directly between VRs in the same VS.

What you'll need to test is if you can successfully use statics to route directly to a VR in a different VS.

I know the routing will work. It's the policy that concerns me. You need to set up an external zone but there is no interface to associate it with (the static route is a bit of an auto-magic thing). Maybe you can try setting the zone to "Any".

I'd like to know the result if you do test this. It is on my to do list.

Another Document is http://www.paloaltonetworks.com/literature/techbriefs/Virtual_Systems.pdf.