Are Virtual Routers required?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Are Virtual Routers required?

L1 Bithead
I am working with a customer whereby the requirements are to split different traffic by different interfaces. Its an internal firewall and will not route internet traffic
 
1x Interface for East/West/North/South traffic
1x Interface for communications to Panorama
1x Interface for any communication to internet targets the firewall needs(NTP/License Check)
 
If we want to achieve this flow would we have to use Virtual Routers for the East/West/North/South. Are there any good articles for Multi-Interface setup of Palo alto? I know that is is against best practice however this is the requirements the customer has.
3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @Nhussain

 

by default a Firewall is using management interface for this communication: Panorama and NTP/License Check

 

If you want to change that behavior, you can configure it by using service route. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0 From service route setting you can separate Panorama/Panorama Log Forwarding to use one dedicated data plane interface and for NTP and Palo Alto Networks Services (I think this one is used for license check) to use different dedicated data plane interface. Any other data plane interface will be used for East/West/North/South traffic depending on your configuration.

 

If you want to further separate data plane interfaces, you can create 2 Virtual Routes. One where you assign interfaces for East/West/North/South traffic and another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thank you for your response.

 

So this article suggests it is possible https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

however once you implement virtual routers this no longer is possible. That is correct?

 

"another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication."

In this setup we move from using 2x interfaces to one interface for management? Is it not possible when using virtual routers to route the internet traffic(NTP) to a different interface and Panorama traffic to a different interface?

Cyber Elite
Cyber Elite

Hello @Nhussain

 

thank you for reply.

 

I did basic verification in Lab Firewall and the answer is yes to both. It is possible to assign different interfaces to different VRs and still use them as a service routes:

 

PavelK_0-1661402060452.png

PavelK_1-1661402151158.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 1448 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!