topic Re: Palo Alto Layer2 mode and brdige vlan in different subnets in General Topics

Palo Alto Layer2 mode and brdige vlan in different subnets

faizankhurshid — Sun, 22 Jul 2018 16:44:52 GMT

Hi All

Can Palo Alto bridge two VLAN like VLAN 10 and VLAN 30 that have different subnets? or both VLAN should have same subnet?

Basically what I want, I have VLAN 10 having subnet 10.10.10.0/24 and VLAN 30 having subnet 192.168.1.0/24. Both VLAN have gateway on core switch. How can I use Palo Alto firewall in layer 2 mode to do the firewalling between two VLAN

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

pulukas — Sun, 22 Jul 2018 17:30:28 GMT

To have the inspection at layer 2 with the gateway on the core switch you need to find a layer 2 path where you can insert the PAN in the link using v-wire would probably be simplest.

If you core device is a pure core with nothing but other switches attached this should be possible. Intercept the links from the core switch to the aggregation switch and insert the layer 2 PAN in these lines. Assuming you have enough ports for all the links.

On the PAN side then you need to create all the vlans that exist on that line and setup the rules for inspection then for traffic that crosses the PAN v-wire for each vlan.

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

faizankhurshid — Sun, 22 Jul 2018 19:18:35 GMT

@pulukas thank you. I got your point. But then I have to make two security rules right? one for vwire-10 (going to gateway of vlan10) and other policy is for vwire-20 (coming from gateway of vlan 20 to server?

Also, if firewall is off path to core firewall, then I have to host vlan gateway also on L2 firewall for inter-vlan firewalling?

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

pulukas — Tue, 24 Jul 2018 22:37:49 GMT

I have not done this but I think you won't need two rules if you place everything in the same zone.

The rules will be intrazone traffic.

They are written in the direction that traffic is initiated.

As the traffic comes through it should still match the existing sessions even though it goes through the PAN twice in each direction.

Re: Palo Alto Layer2 mode and brdige vlan in different subnets

reaper — Wed, 25 Jul 2018 11:02:38 GMT

you can also create a Layer2 interface with 2 subinterfaces, then create a policy to allow traffic from one's zone to the others and back (interzone will do this if you only want to create a single policy)

the only thing you'll need to take care of yourself, is how the different broadcast domains are going to communicate to one another without a routing device in between