topic Adding in an additional new firewall to the edge, attracting return traffic in General Topics

Adding in an additional new firewall to the edge, attracting return traffic

palomed — Wed, 19 Aug 2020 04:58:43 GMT

I currently have a Brand X firewall at our perimeter with a /24 on the outside and private addressing on the inside.

I want to add a PAN in parallel to the current firewall and gradually move services from Brand X to PAN.

The plan at present is to take a /26 of the public space and route to the PAN outside interface from the edge routes.

The trick is that the return traffic to the client on the Internet needs to be attracted to the PAN firewall and not to Brand X firewall to which the default route now points. My plan is to NAT the source IP as the traffic comes inside the PAN.

BUT the problem is if I have a load balancer inside using source IP for balancing that would break. And there could be some applications that want to know the real public source IP. Are there any other approaches that I'm missing with regards to having servers send the traffic back to the PAN regardless of the default route on the inside?

If in the end I just need to do source IP NAT I may be able to live with it. But I wanted to ping the hive brain.

Re: Adding in an additional new firewall to the edge, attracting return tra

reaper — Wed, 19 Aug 2020 06:33:29 GMT

on the outside the PAN will be able to use proxy-arp to assimilate IP addresses. for every NAT rule you create with an IP in the /24 range, the PAN will send out proxy-arp, letting the routers know it owns those IPs (just make sure no other device uses or proxy-arps for that IP)

on the inside it kind of depends on your design and available hardware

if the inside is a flat network with the default gateway set to brandX, setting source-nat to the pan inside interface for inbound connections will be the easiest way to trick inside hosts to reply to the PAN

The same trick with proxy-arp applies to the inside interface: you could set up dynamic-IP nat and provide the PAN with an IP pool, which may help overcome the loadbalancing issues

if the inside router/loadbalancer supports policy based forwarding/routing you could set up source routes toward the PAN

Re: Adding in an additional new firewall to the edge, attracting return tra

palomed — Wed, 19 Aug 2020 13:55:36 GMT

Thank you. I didn't realize that this could be accomplished with the proxy arping at the PAN.

And Dynamic NAT on the inside with a pool is also an interesting thought on dealing with

the load balancer. The policy routing could have a place too.