I did a search on the forums for multiple IP's and found a lot of posts talking about how the Palo deals with multiple external IP's - i.e. if your ISP assigns you a /29 block and you need to NAT multiple application into your network. So basically you pick one IP, load that on the Palo interface and then just do NAT. Palo will ARP for any additional IP's used in NAT rules without the need to load those additional IP's on the Palo interface. I would prefer to load the IP's on the interface regardless of NAT because then you can see which external IP's has been allocated to the Palo.
This post kinda touch on the need to have additional IP's loaded somewhere on the Palo, but it is not for NAT, it’s for Global Protect. How do I go about loading the additional external IP's from the /29 block on the Palo box to use in my Global Protect configuration? - i.e. I need one external IP for the gateway and another for the portal. Or what is the recommended way of setting this up?
You can use a loopback interface whenever you don't want to tie it to a physical port and to have more flexibility. You may be connected to several ISPs but don't want to assign an IP/32 to a port in case the port goes down. Using the loopback would allow the IP/32 to be reachable across all ports and not be affected by port goin up & down.
I know I'm reviving an old thread, but I figured I'd toss this tip in there too in case anyone else stumbles across this thread...
You can also build untagged subinterfaces off a main interface if for some reason you want your multiple assigned IP addresses to be in separate zones
So you can have your main eth1/1 interface, and then have eth1/1.1 be in zone untrust1, eth1/1.2 be in zone untrust2, eth1/1.2 be in zone untrust3, etc.
The "untagged subinterface" part is so that you don't have to convert the interface to a trunk port - the subinterfaces are logically separate, but don't correlate to specific VLANs (which is the normal way one thinks of subinterfaces e.g. on a router with a switch)
I cannot seem to duplicate this. I keep getting Operation Failed: units -> ethernet1/1.2 constraints failed : tag is required.
Am I missing a step somewhere? I would like to have a second external ip assigned on a sub-interface of eth 1/1 so that I can manage that traffic differently with an "Untrust-VPN" zone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!