https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/75147#M41888 <P>Sorry for not getting back we ended up putting static routes to next hop vr XYZ. Until we want to decide going down the BGP option or the OSPF with loopback (port to port) on PA in different VR's.&nbsp;</P> Thu, 24 Mar 2016 12:03:06 GMT CZaloba 2016-03-24T12:03:06Z https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/72835#M41198 <P>I have an issue where we have mulit-VRs in place 1) default and 2nd) VR that is utilized for DMZ and untrust routes</P> <P>&nbsp;</P> <P>Both VR's share a common zone name "public" for example.&nbsp;</P> <P>&nbsp;</P> <P>I have issues routing where for instance I have my internal network segments in the VR's FIB's and my routed networks fail to return back through the correct interfaces.&nbsp;</P> <P>&nbsp;</P> <P>I have a need for select internal subnets but RFC 1918 and Public routed ranges reaching into into the DMZ for administrating a Server.&nbsp;</P> <P>&nbsp;</P> <P>The security policy logic is in place and sound transit zone VR default &gt; public zone (VR Untrust/DMZ) &nbsp;with applications ssh,ssh-tunnel.&nbsp;</P> <P>&nbsp;</P> <P>This DMZ server also has restricted subnets from Public zone to allow Untrust traffic to server.&nbsp;</P> <P>&nbsp;</P> <P>Issue my my server works from untrust perspective, however if my more trusted zones access the server in the DMZ I don't get traffic there.&nbsp;</P> <P>&nbsp;</P> <P>Server is a Virtualized we got it to route properly once we added a second v-nic to the host server and had the server administrator add static routes pointing out a different gateway which lays in the VR default.&nbsp;</P> <P>&nbsp;</P> <P>I am hoping as we build and scale this network edge / dmz services over the internet that we don't have to apply host routing and allow OSPF to take place and advertise into both respected Virtual Routers.&nbsp;</P> <P>&nbsp;</P> <P>Still working with TAC on this.&nbsp;</P> Sun, 14 Feb 2016 22:06:49 GMT https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/72835#M41198 CZaloba 2016-02-14T22:06:49Z https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/72869#M41212 <P>Hi!</P> <P>&nbsp;</P> <P>could you provide a schematic to help us gain some insight into your design ?</P> <P>&nbsp;</P> <P>If you want to keep networks separate through multiple VRs, I would recommend also changing the zones so none are shared to prevent confusion or accidental overlap. To enable intra-VR routing, static routes need to be added in the VR where you assign the <EM>other</EM> VR as next hop and a returning static route needs to be in place to allow the traffic to take the same route back</P> Mon, 15 Feb 2016 13:05:02 GMT https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/72869#M41212 reaper 2016-02-15T13:05:02Z https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/75147#M41888 <P>Sorry for not getting back we ended up putting static routes to next hop vr XYZ. Until we want to decide going down the BGP option or the OSPF with loopback (port to port) on PA in different VR's.&nbsp;</P> Thu, 24 Mar 2016 12:03:06 GMT https://live.paloaltonetworks.com/t5/general-topics/multi-vr-routes-and-security-policies-issues/m-p/75147#M41888 CZaloba 2016-03-24T12:03:06Z