https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416291#M93406 <P>Please see the articles below as palo alto can be anabled to accept untagged traffic and Vlan 0 is considered untagged:</P><P>&nbsp;</P><P>&nbsp;</P><P>For vwire:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P>For layer 3:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE2CAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE2CAK</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYMCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYMCA0</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMFCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMFCA0</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>If you want interface layer 2 communication (not vwire) between the firewalls you may need to check if you can tag the native vlan on the routers before being send to palo alto:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/native-vlan-for-trunk-ports/td-p/251564" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/native-vlan-for-trunk-ports/td-p/251564</A></P> Thu, 01 Jul 2021 07:42:27 GMT NikolayDimitrov 2021-07-01T07:42:27Z https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416261#M93400 <P>I have 2 Palo Alto Firewalls each connecting to Peplink Balance 310x routers. HA is configured between the two Balance 310x routers. What I am trying to achieve is communication between these 2 routers via the 2 FWs. The HA (VRRP) interface is in the untagged VLAN on the router. It is Layer 2 between the routers and FW's. I have the FW interfaces with an untagged interface ready to pass this traffic between them but this is not working.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nickvardy76_0-1625050522210.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34666i52F1F7DA8410F547/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="nickvardy76_0-1625050522210.png" alt="nickvardy76_0-1625050522210.png" /></span></P><P>See quick drawing above. I need to be able to pass the VRRP packets from the Peplink Balances via the 2 Palo Alto FW's. Is this possible using this design? I do not see any untagged traffic traversing the Palo's.</P> Wed, 30 Jun 2021 10:56:36 GMT https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416261#M93400 nickvardy76 2021-06-30T10:56:36Z https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416291#M93406 <P>Please see the articles below as palo alto can be anabled to accept untagged traffic and Vlan 0 is considered untagged:</P><P>&nbsp;</P><P>&nbsp;</P><P>For vwire:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfaces/vlan-tagged-traffic.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P>For layer 3:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE2CAK" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE2CAK</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYMCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYMCA0</A></P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMFCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMFCA0</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>If you want interface layer 2 communication (not vwire) between the firewalls you may need to check if you can tag the native vlan on the routers before being send to palo alto:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/native-vlan-for-trunk-ports/td-p/251564" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/native-vlan-for-trunk-ports/td-p/251564</A></P> Thu, 01 Jul 2021 07:42:27 GMT https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416291#M93406 NikolayDimitrov 2021-07-01T07:42:27Z https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416437#M93422 <P>Hi,</P><P>&nbsp;</P><P>I have already deployed (many times) such kind (almost) of configuration (PA L3 mode + Pelink in front in our case) but we uses a L2 switch (two in fact to provide HA) between the external interface of the PA and internal interface of the Peplink... If you use L2 mode (VWIRE) on PA interface,&nbsp; just be careful with Spanning-Tree..&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>HA</P> Thu, 01 Jul 2021 07:10:01 GMT https://live.paloaltonetworks.com/t5/general-topics/vrrp-on-routers-connected-to-palo-alto-firewalls/m-p/416437#M93422 slp-security 2021-07-01T07:10:01Z