I have two pa device , if . Both are in two differnet site . and I want to access the device in vlan10 from one site to another .
How can i do that .
vlan 10 ----fw1 --------------fw2---vlan 10
Assuming that you configure IPSec VPN between sites then you need to add route to peer site into virtual router and allow this traffic in security policy.
The best way I've been able to do this is by having a different subnet at each location such as this: 10.10.1.0/24 and 10.30.1.0/24. I create a L3-Interface on both firewalls and create the necessary routers. I then created a rule in Panorama and applied it to both firewalls like so: Trust=>RemoveOffices(10.10.1.0/24,10.30.1.0/24); App-ID: Any, Service: Any => Trust=>RemoteOffices(10.10.1.0/24, 10.30.1.0/24); App-ID: Any, Service: Any. When applied to both sets of firewalls you'll get a psuedo VLAN extention. To make it scale a little, create an Address Group named something like: VLAN1. Then reference that in any rule you create. You must always include Remote-Office (To and/or From) as appropriate. This will allow all traffic originated on VLAN1 on site1 to VLAN1 on site2 (simulates an extended VLAN between sites).
I've used this and it works quite well. The only gotcha you need to be careful of is when specifying the Interface between firewalls. I use a dedicated Interface or Tunnel and keep my routes very specific only to the other site. Any other routes should probably not traverse that link unless it absolutely needs to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!