01-18-2023 10:34 PM
Our firewall is a VM 500-Series model. All IP addresses in our firewall's Untrust nic subnet have already been used, so we must attach a new subnet to the nic interface. Therefore, I want to know if a firewall supports multiple subnets on a single nic.
01-19-2023 03:29 PM
Hi @Pabitra_Parial ,
As you can see from the following link - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0 Palo Alto actually support multiple IPs on the same interface only if they are in different subnets. I am guessing that until this point you have added additional address with /32 prefix that were from one subnet. If you could associate second subnet to the same vnic, you could continue adding additional IPs to the same vnic from this new subnet.
As you can see here the limit of additional IP addresses is pretty high - https://live.paloaltonetworks.com/t5/general-topics/max-allowed-additional-ip-addresses-on-a-layer3-...
You didn't mention what on platform (Azure, AWS, etc) you are running your VM firewall, but if you need to do this "monstrosity" with assigning multiple additional IP to the same interface, I would guess it is one of the public clouds. I am curios why are you planning to add second subnet to the same vnic?
On other hand I would suggest you to consider Aure Gateway Load Balancer (GWLB) and AWS (GWLB) - if you use any of those clouds. GWLB provide absolutely fantastic flexibility when comes to placing PAN FW inline in public cloud.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!