topic Session Lookup for inter-virtual communication in General Topics

Session Lookup for inter-virtual communication

ghostrider — Thu, 13 Oct 2016 08:36:16 GMT

Hello Experts

I was just wondering how firewall session is created for inter-vr communication. I have scenario like this:

Interface eth1/1 (Trust-VR) Trust Zone ---LAN (10.10.10.0/24)

Interface eth1/2 (Untrust-VR) Untrust Zone ---INTERNET

In Trust-VR, I have 0/0 default route towards Untrust-VR, I have created the security policy between Trust to Untrust Zone to allow the communication. My question is, firewall will create the session in which VR? I mean for reverse traffic where the route lookup for 10.10.10.0/24 will happen? In Trust-VR or Untrust-VR?

In case Trust-R then no need for reverse route for 10.10.10.0/24 in Untrust-VR next-hop Trust-VR?

Thanks

Re: Session Lookup for inter-virtual communication

FJU-ITCS — Thu, 13 Oct 2016 09:11:41 GMT

Hi,

the session is create on the firewall not in the VR.

Why do you use two VR?

And the Untrust-VR you need an Static Route back to the Trust-VR (10.10.10.0/24)

Re: Session Lookup for inter-virtual communication

ghostrider — Fri, 14 Oct 2016 12:17:12 GMT

Thanks dear. Actually I have the scenario like in firewall I have two VR, VR-1 for one customer-1 and VR-2 for other customer. Both have same subnets (overlapping subnets) but going to internet from global table (trust-vr) interface (connected to internet router and doing the NAT). In Juniper SRX, the session is bind to VR. So if traffic is going from VR-1 to global table then reverse route lookup happens in VR-1 and global table does not need to have reverse static routes for VR-1 and VR-2. It seems Palo Alto firewall session is not bind to any VR.

Since VR-1 and VR-2 sharing same subnets. How can I define the reverse static routes in trust-vr for VR-1 and VR-2. Should I enable symmatric retrun? or any other solution

Re: Session Lookup for inter-virtual communication

ghostrider — Sat, 22 Oct 2016 14:24:09 GMT

@reaper @pulukas

Could you please also look into this? Session is bind with virtual router or not?

Re: Session Lookup for inter-virtual communication

reaper — Sat, 22 Oct 2016 18:47:34 GMT

In PAN-OS the sessions are created differently
Sessions exist inside a vsys (virtual system) and are created by the firewall independent of routing. route lookups are performed per flow direction, so in your example you need routes in both directions

Re: Session Lookup for inter-virtual communication

ghostrider — Sat, 22 Oct 2016 20:38:15 GMT

Thank you @reaper. I justed tested quickly. So if my topology is like LAN -> PA -> Internet. Now if traffic has to pass through AV system or transparent proxy (also directly connected to PA) using Filter based forwarding. Traffic will pass like this:

LAN -> PA -> AV System -> PA -> Internet (Outdoing Traffic)

Interenet -> PA -> LAN (return traffic)

This will cause Aysmmetric routing. I cannot play with VR because as you said, session is not bind to VR. The only way I think of is, enable sysmmetric return in Internet interface and that worked like a charm ! The return traffic now taking the same path as outgoing traffic