Bounty question live from Ignite2017: chance to win an Live Community hoodie!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Bounty question live from Ignite2017: chance to win an Live Community hoodie!

Cyber Elite
Cyber Elite

Community member @KyleVonFange came up to the booth and asked an interesting question he got this morning. We're posting it in the discussion forum and the right answer gets a chance at winning a Live Community hoodie!

 

 

What is the best way to set up a steelhead behind a virtual firewall so that only a couple internal IPs (both directions) are sent to the steelhead?

We don't own the internal network in the IaaS system.

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
9 REPLIES 9

L7 Applicator

The PA nedd to have 4 zones:

  • Internal (clientzone)
  • External
  • Steelhead inpath
  • Steelhead wan

This way you are able to forward only specific internal client traffic with a PBF rule to the steelhead inpath zone (interface).

For traffic from "external" you need to do the same, probably a PBF rule containing the riverbed-rios app and the source external.

All other traffic will pass only the PaloAlto without being optimized by the steelhead appliance.

Cyber Elite
Cyber Elite

@Remo,

I like your answer and it would definately work; I've never used a steelhead appliance but couldn't you simply set this up with either the routing table directly or simply use a PBF, I'm not sure if additional zones for the steelhead would even be necissary as you could just setup the steelhead appliance on it's own interface on the firewall. 

 

L7 Applicator

@BPry

It will probably also work with no additional zones, because with the PBF rule of course you can specify the destination interface. I simply like it to have this completely separated as long as you still have enough zones left on your PA.

At least for the use case where only specific clienttraffic needs to be forwarded to the steelhead, there is no way with the normal routing table

I think you could with the normal routing table but it would be static routes and destination based only. Definitly an interesting scanario for sure. I think even a vwire would work since thats what a steelhead is anyway, wouldnt cut down on the number of zones however.

 

My answer would be, just get more bandwidth instead of the steelhead (but I know this could be a limiting factor), sure would be less complex :). 

 

Cheers!

Since these are virtual firewalls and a virtual steelhead, I will try to do this with just a PBR with no additonal zones.  Unfortunately, we are very limited on the number of free zones on our VM200.  I should be receiving the virtual steelhead appliance within the next week so will be able to test this soon! 

In the meantime, if anyone has other options, I'm all ears.

Sincerely,

Kyle

The other option I can think of is placing the steelhead appliance in front or behind the firewall. This way ALL traffic would pass the steelhead and then you could create pass-through rules on the steelhead for traffic you do not want to optimize.

I still think the option with the PBF Rules ist the best one and it gives you great flexibility and control while allowing a simple management of the traffic you need to have optimized by the steelhead.

Hi @KyleVonFange !

 

wanted to reach out and see how things were going (see if we could assign a winner for the bounty or if we need more input to address your question)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Where is my live community hoodie? 😛

 

No, seriously, @KyleVonFange do you have results from your tests?

Sorry guys, there is still a delay in getting our appliance.  It is now scheduled for August 9th, 2017. 

  • 5398 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!