- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-27-2023 05:43 AM
I am finding some way to convert a dataplane interface sends it traffic like a management interface.
We created a dedicated interface l3 subninterface for netflow traffic to export. we would like to understand if the traffic from this interface can be routed through management plane?
The reason behind the ask is there are two routers in the same netflow subnet that flows through this firewall. As soon as we assign a VR and zone to this interface, The traffic from our remote servers to these routers take the netflow interface as next hop (since one of the IP from the subnet is configured for interface, Palo prefers the directly connected route). This causes asymmetric routing in the environment.
We have defined a service route for netflow as this dedicated interface (PA-5K series firewall doesn't support MGT interface for netflow). Tried to define a destination under service route to netflow server sourcing netflow interface. Removed this interface from VR and didnt attach zone thinking this would act like mgmt interface, But no luck.
09-27-2023 11:50 AM
From the issue that you've described, you could put the interface into it's own VR and zone if you really wanted to. That would remove it from routing consideration at all and you could effectively isolate it. That being said, you can't really replicate that full management experience on a dataplane interface.
The thing that is interesting to me is that you mentioned what I would say is unexpected behavior; as soon as you specify a service route for netflow that's the source interface and source address that it should be using. That doesn't necessarily take routing out of the equation, which might explain what you were running into.
Kind of sounds like the simplest solution for your use case as you've described is just creating a completely separate VR specific to this interface. It still won't behave exactly the same, but it should take care of the issues that you've mentioned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!