This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Are Virtual Routers required?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Are Virtual Routers required?

Nhussain
L1 Bithead

‎08-23-2022 12:33 PM

I am working with a customer whereby the requirements are to split different traffic by different interfaces. Its an internal firewall and will not route internet traffic
 
1x Interface for East/West/North/South traffic
1x Interface for communications to Panorama
1x Interface for any communication to internet targets the firewall needs(NTP/License Check)
 
If we want to achieve this flow would we have to use Virtual Routers for the East/West/North/South. Are there any good articles for Multi-Interface setup of Palo alto? I know that is is against best practice however this is the requirements the customer has.
0 Likes Likes
3 REPLIES 3

PavelK
Cyber Elite
Cyber Elite

‎08-23-2022 02:46 PM

Hello @Nhussain

 

by default a Firewall is using management interface for this communication: Panorama and NTP/License Check

 

If you want to change that behavior, you can configure it by using service route. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0 From service route setting you can separate Panorama/Panorama Log Forwarding to use one dedicated data plane interface and for NTP and Palo Alto Networks Services (I think this one is used for license check) to use different dedicated data plane interface. Any other data plane interface will be used for East/West/North/South traffic depending on your configuration.

 

If you want to further separate data plane interfaces, you can create 2 Virtual Routes. One where you assign interfaces for East/West/North/South traffic and another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Nhussain
L1 Bithead
In response to PavelK

‎08-24-2022 12:32 AM

Thank you for your response.

 

So this article suggests it is possible https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

however once you implement virtual routers this no longer is possible. That is correct?

 

"another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication."

In this setup we move from using 2x interfaces to one interface for management? Is it not possible when using virtual routers to route the internet traffic(NTP) to a different interface and Panorama traffic to a different interface?

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎08-24-2022 09:36 PM

Hello @Nhussain

 

thank you for reply.

 

I did basic verification in Lab Firewall and the answer is yes to both. It is possible to assign different interfaces to different VRs and still use them as a service routes:

 

PavelK_0-1661402060452.png

PavelK_1-1661402151158.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 2007 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks