https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147229#M49348 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; I have to configure Inter vsys Routing where the traffic has to leave the firewall fromone vsys and enter into another Vsys. I am not able to find any documention on this scenario. I have already configured and tested the communication between vsys that will not leave the firewall but stuck on where traffic should leave the firewall.&nbsp;</P><P>&nbsp;</P><P>If I have a Internet Vsys and a Datacenter Vsys I will take a cable from Inet Vsys interface and connect to DC Vsys interface for physicall connectivity now the question is about routing do I need to configure static routing on both the vsys and I believe it wont be towards the VR's of each other then how the routes would be configured towards the physical interfaces ? and both the VR's will see all the routes of each other ?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Sat, 11 Mar 2017 19:36:06 GMT Kashif.Kamal 2017-03-11T19:36:06Z https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147229#M49348 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp; I have to configure Inter vsys Routing where the traffic has to leave the firewall fromone vsys and enter into another Vsys. I am not able to find any documention on this scenario. I have already configured and tested the communication between vsys that will not leave the firewall but stuck on where traffic should leave the firewall.&nbsp;</P><P>&nbsp;</P><P>If I have a Internet Vsys and a Datacenter Vsys I will take a cable from Inet Vsys interface and connect to DC Vsys interface for physicall connectivity now the question is about routing do I need to configure static routing on both the vsys and I believe it wont be towards the VR's of each other then how the routes would be configured towards the physical interfaces ? and both the VR's will see all the routes of each other ?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Sat, 11 Mar 2017 19:36:06 GMT https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147229#M49348 Kashif.Kamal 2017-03-11T19:36:06Z https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147230#M49349 <P>A very good article:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Inter-VSYS-routing/ta-p/69699" target="_blank">https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Inter-VSYS-routing/ta-p/69699</A></P> Sat, 11 Mar 2017 19:46:04 GMT https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147230#M49349 TranceforLife 2017-03-11T19:46:04Z https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147254#M49352 <P>Hi, &nbsp;</P><P>&nbsp;</P><P>&nbsp; &nbsp; Thanks for the informative link. My question is what is the benefit we get by&nbsp;<SPAN>Inter-VSYS Traffic That Must Leave the Firewall over&nbsp;Inter-VSYS Traffic That Remains Within the Firewall as far as I understood we will not have External zones between Vsys if we send the traffic out of firewall. Is there any other benefit to send the traffic out and back again</SPAN></P> Sun, 12 Mar 2017 07:50:06 GMT https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147254#M49352 Kashif.Kamal 2017-03-12T07:50:06Z https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147277#M49355 <P>Hi,</P><P>&nbsp;</P><P>You can use a shared gateway as the shared interface as shared_untrust and created external zone as untrust zone for each vsys and make sure the visability use configured between the shared gateway and all the vsys.</P><P>&nbsp;</P><P>The interesting part will be traffic from vsys1 to vsys2 you will see two sessions</P><P>&nbsp;</P><P>session 1: trust-vsys1 to untrust (vsys1)</P><P>session 2: untrust (vsys2) to trust vsys2</P><P>&nbsp;</P><P>If the traffic desintation is not vsys1 or vsys2. &nbsp;the session will trust-vsys1 to shared_untrust.</P><P>&nbsp;</P><P>The down side of doing it this way is any intervsys traffic will handle ONLY by the data plane processors. &nbsp;The intervsys traffic will not be able to offload by the offloader. &nbsp; The data plane processors have very limited throughtput. &nbsp;(Depend on your appliance). &nbsp; &nbsp;That can cause the DP CPU to go to 100% and stay as long as the intervsys sessions are alive.</P><P>&nbsp;</P><P>Check this link out, &nbsp;<A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-packets-in-slow-path-fast-path-and-offloaded/ta-p/58845" target="_blank">https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-packets-in-slow-path-fast-path-and-offloaded/ta-p/58845</A></P><P>&nbsp;</P><P>You may want to have a deep dive with your SEs/Reseller too..</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 12 Mar 2017 10:58:39 GMT https://live.paloaltonetworks.com/t5/general-topics/inter-vsys-routing/m-p/147277#M49355 nextgenhappines 2017-03-12T10:58:39Z