Forwarding streaming traffic to a second Palo

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forwarding streaming traffic to a second Palo

L1 Bithead

Hi all. We have two Palo 3020s, each connected to a different ISP. At the moment the 1st firewall handles all our LAN internet based traffic, whereas the second firewall is mainly used for our VPN connections. We're looking at forwarding streaming traffic from the 1st firewall to the second firewall, to reduce the bandwidth usage on our primary ISP connection. I've been looking into configuring Policy Based Forwarding to achieve this, but most examples I see of this only use one firewall connected to multiple ISP connections. We're unable to connect our first firewall to the secondary ISP connection. Looking for advice on how I can forward this traffic through a seconadry Palo.

6 REPLIES 6

L6 Presenter

Hi,

 

Are these firewall on the same LAN but got two different ISPs connections? What is the default gateway for your LAN clients?

 

Thx,

Myky

Both firewalls are on the same LAN, the default gateway of the LAN clients is the first firewall. Thanks.

Hi,

 

Thanks for the confirmation. Havent done much  of PBF but l think you can specify in the policy for the specific traffic to be fowarded to the 2nd firewall,  then that firewall will use its ISP connection to get out.

Second option would be to have a router/Layer 3 device as DG and do PBF there so it will deside which traffic to send where (1st or 2nd FW)

 

Thx,

Myky

 

Cyber Elite
Cyber Elite

PBF will work just fine if you consider for each firewall the 'other firewall' is an ISP instead of 'your firewall'

 

eg. on firewall 1 you'd need to set up pbf routing as if firewall 2 is the second ISP

 

could you include your topology, this may help get the creative juices flowing also 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

 

See below for a crude diagram of the topolgy

 

PBF.jpg

 

As a test I configured policy based forwarding on P1 with source as the inside traffic (1/2) with 1/6 as the egress interface and 192.168.255.254 as the next hop, I also enforced symetric return. This doesn't work as the traffic still leaves 1/1 (ISP1) on the first Palo.

Hi,

 

Thx for the diagramm. Did you try to allow any traffic? Just test with any as a destination.  Can you post screen shots of the PBF?

 

Myky

  • 3588 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!