Question about Virtual Router and Policy Based Routing

Reply
L1 Bithead

Question about Virtual Router and Policy Based Routing

Hi All,

 

We are currently doing the migration from ASA 5550 to PA5020. We have totals of 4 interface in our environment.

 

In ASA the routing is handle by Static route and pretty straight forward.

 

As for Palo Alto, should I combine all the static route into one virtual router? Or use PBR instead?

 

We also planned to implement the Dual ISP redudancy. Any recommendation?

 

PaloAltoRouting.PNG

Community Manager

Re: Question about Virtual Router and Policy Based Routing

for any 'normal' routing it's best to stick to static routes in a virtual router (you can have additional virtual routers if you need segregation)

 

PBF comes in handy if you want to redirect certain applications over a different link, for example if you have a dedicated leased line and a backup DSL, you could redirect all web traffic and less important applications over the DSL so your business critical applications do not need to fight over bandwidth with streaming video. PBF can redirect those apps

 

check out this article for more info: Getting Started: Policy Based Forwarding


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Question about Virtual Router and Policy Based Routing

Thanks for the explanation on the PBR. It is really useful.

 

As for the static route, what is the best practice? Each VR for each interface?

 

Example,

eth1/1 as Internet

eth1/2 as Internal

eth1/3 as DMZ1

eth1/3 as DMZ2

 

If i create 1 default VR for all the interface, mean internal, dmz1 and dmz2 can go to internet via internet port?

 

If i create segregation for each interface, can the client still go to internet via internet port?

Community Manager

Re: Question about Virtual Router and Policy Based Routing

Typically you start with one VR for all interfaces to keep routing straight forward. If you add VRs, you'll need to create inter-vr routing which adds complexity. This is useful for 'top secret' networks that are required to be segregated at the lowest possible level, but adds too much complexity for regular networks

 

Keep in mind the Palo Alto Networks firewall is a zone based firewall, if  each (sub)interface has it's own zone and you create no security policies, routing will not matter as the sessions will not be allowed to pass through

 

so the level of complexity depends on your business needs: if there is no need/requirement to make certain inter-network routing impossible, a simple security policy (or the absense thereof) will also take care of restricting access 


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!