Routing between Virtual systems

Reply
Highlighted
L0 Member

Routing between Virtual systems

Hi all,

I have 4 virtual systems and have 2 requirements:

1. That VSYSs must go to internet by difference lines (we have 4 WAN lines)

2. That VSYSs can communicate with other VSYS.

I assign 4 Virtual routers for that VSYSs and resolve the requirement 1

But I cant do route between virtual systems

Can anyone help?

Thanks.

Binh.

Tags (2)
L4 Transporter

Re: Routing between Virtual systems

Hello,

Have you referred to this document about inter-vsys communication, see:

How to Set Up Shared Gateway and Inter VSYS

Hope that helps,

Aditi

L0 Member

Re: Routing between Virtual systems

Hi Aditi,

Thanks for your reply, but, in that document, all VSYSs use the same Virtual router.

My case is: VSYS-A uses VR-A, VSYS-B uses VR-B and I have done with inter VR-routing. We need to create a static route with next hop is: VR.

Example:

VSYS-A has subnet: 172.16.1.0/24

VSYS-B has subnet: 172.16.2.0/24

User A: 172.16.1.2/24 want to connect to User B: 172.16.2.2/24

Create a static route in VR-A with destination: 172.16.2.0/24, next hop: VR-B

And then create: external zone, policies, ...to allow traffic.

Regards,

Binh.

L4 Transporter

Re: Routing between Virtual systems

Essentially you are creating 4 separate Firewalls when you create separate VRs and VSYS'. There is another post that has some suggestions to your question in https://live.paloaltonetworks.com/message/4430#4430. Specifically -

8. Re: Routing between virtual systems

PThomasRecruit

Nick,

Version 4 now allows you to configure statics routes that you can nominate a Virtual Router (VR) as the next hop!!!

This new 4.x function allowed me remove the physical cable that join the VRs is seperate Virtual System (VS) and move back to just virtual routers in a single VS.

My real base requirement is for multiple VRs to handle multiple Internet connections (8 in total). Internal networks with their own ISP link but then they decided they want to share each others printers so the ffirewall needed to allow comms between them.

The reason for employing VSs in the first place was because I found the policy engine could not track the connection properly (looping back through the physical cable to join VRs) unless I placed the virtual routers in different VSs. That is to say connecting virtual routers together using a physical cable did not work if the VRs were in the same VS. Put them in different VMs and everything worked fine.

I have successfully used the new static routing to route directly between VRs in the same VS.

What you'll need to test is if you can successfully use statics to route directly to a VR in a different VS.

I know the routing will work. It's the policy that concerns me. You need to set up an external zone but there is no interface to associate it with (the static route is a bit of an auto-magic thing). Maybe you can try setting the zone to "Any".

I'd like to know the result if you do test this. It is on my to do list.

Another Document is http://www.paloaltonetworks.com/literature/techbriefs/Virtual_Systems.pdf.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!