- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-11-2012 06:44 AM
I recently bought a PA-500 to replace an aging SonicWall. We have two ISPs, one DSL and one cable. We have static IPs on both. It appears from the documentation that this should work, but implementing it has been painful, to say the least.
Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on that interface as soon as possible. We have a few services inbound on DSL:
- smtp from our outsourced spam filter (it will all come in from a single IP)
- http and https for OWA
- rsync from our web hosting company for online order fulfillment
- a couple of VNC connections on non-standard ports, which should be port-forwarded to the standard ports on those machines
I can go into great detail about what I have and have not done to this point, but was wondering if anybody else has done the same, and where (if anywhere?) is this configuration documented? I've been dealing with various flavors of firewalls for over 10 years, and I've put in over 40 hours on what should be less than a 2 hour problem.
I've also seen some really strange things, like
- When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the gateway's MAC address is correct in the ARP table).
- When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port or its application type), but still does not get NATted correctly.
Questions? Comments? Snide remarks?
09-11-2012 10:13 AM
In 5.0 there is a feature being added called return to sender which will take care of most of your config.
In the meantime most of it can be done.
>>Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on >>that interface as soon as possible. We have a few services inbound on DSL.
This will actually need to be done with two VR. PBF does not apply to traffic that is src or dst to the pan. It will only apply to traffic that through the pan. If you have a PBF rule to route traffic through cable and a default route to route traffic out DSL all request to GP will route back out the cable line.
>>We have a few services inbound on DSL.
What may be happening here is the syn comes in on the DSL and PBF matched the syn/ack and routes it back out the cable line. If DNATS are required on the DSL line you will need to split the VRs, or put a negate rule above the PBF so it will use the VR route out the DSL line. This in turn will route ALL traffic out the DSL for those machines.
>When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the >outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the
Which mac is incorrect the DST mac after it leave PAN or the SRC?
>When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port >or its application type), but still does not get NATted correctly.
First packet will allow traffic not based on application so if the service field is ANY or the same port as vnc this would match for the 3 way and change once the application is identified.
Dominic
09-11-2012 06:53 AM
There's nothing in your post that isn't possible in the PAN with Policy Based Forwarding, NAT, and Security policies.
Have you reached out to your SE yet?
09-11-2012 07:18 AM
What's an SE? Sales Engineer? Trying to get ahold of them now, too.
I thought it sounded like this should all be possible, but usually there are knowledgebase articles, howto's, or forum posts for fairly common scenarios. Multiple ISPs may have been uncommon 5 years ago, but that setup is quickly approaching "normal" for the small-business market.
09-11-2012 10:13 AM
In 5.0 there is a feature being added called return to sender which will take care of most of your config.
In the meantime most of it can be done.
>>Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on >>that interface as soon as possible. We have a few services inbound on DSL.
This will actually need to be done with two VR. PBF does not apply to traffic that is src or dst to the pan. It will only apply to traffic that through the pan. If you have a PBF rule to route traffic through cable and a default route to route traffic out DSL all request to GP will route back out the cable line.
>>We have a few services inbound on DSL.
What may be happening here is the syn comes in on the DSL and PBF matched the syn/ack and routes it back out the cable line. If DNATS are required on the DSL line you will need to split the VRs, or put a negate rule above the PBF so it will use the VR route out the DSL line. This in turn will route ALL traffic out the DSL for those machines.
>When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the >outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the
Which mac is incorrect the DST mac after it leave PAN or the SRC?
>When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port >or its application type), but still does not get NATted correctly.
First packet will allow traffic not based on application so if the service field is ANY or the same port as vnc this would match for the 3 way and change once the application is identified.
Dominic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!