Passing a Circuit Prefix Through Palo Firewall

cancel
Showing results for 
Search instead for 
Did you mean: 

Passing a Circuit Prefix Through Palo Firewall

L0 Member

I'll do my best to put this question into words.

My company owns a /24 Public IP range. I have an engineering department that needs a /29 IP space off of that block for their Lab Environment
I have a Juniper MX104 Router and a Palo 5220 Firewall.

I'm not sure what my best steps are to get this circuit passed through the Firewall straight to the Lab environment (and Palo support is extremely slow at the moment).

1. On the Juniper Router I have a Logical Interface created irb.312 which is using the first available IP in the /29 range.
2. On the Juniper Router I have a Physical interface created to be a bridge interface using vlan-id 312
3. The Lab has an SRX that is setup to use the second available IP in the /29 range.

What are my best steps on the Palo? I was hoping a Virtual Wire would work, but the interface goes straight to down when I configure it as a Virtual Wire interface. I am hoping I don't need to create a Layer 3 interface on the Palo as I don't want to use anymore of the IPs available in the /29 (since the Edge Router and the Lab SRX are both using an IP in that /29 range already).

In terms of "topology", we do want the traffic to pass through our Palo since that is what our Network Team manages. The Lab Firewall is not managed by us, so we don't want to bypass our own Firewall. If that makes sense?

Any input would be appreciated!
Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions

Thank you very much for the quick response to this. It provided extremely helpful steps in my troubleshooting process!


I ended up getting the Palo Alto Virtual Wire to work out in this scenario so I didn't have to set up too many routes. 

 

But again, thank you!

View solution in original post

3 REPLIES 3

L2 Linker

Hi Troy,

 

How about if rather than configuring the /29 on the router int, what if you route the /29 toward the Palo and the configure /29 one int on PA and one SRX?

 

Router <> route n.n.n.n/29 > PA <int>/29   <int>/29SRx

 

L4 Transporter

Instead of assigning IPs on the MX and PA within the /29 block that you want to use behind the firewall, could you just route the entire /24 to the PA, and then route the /29 to the SRX? From your description I am assuming you are BGP announcing the /24 from the MX104?

 

Setup a private inter-network range between the MX104 and the PA (say, 198.18.x.x/30) and route the /24 to the PA. On the PA assign the public IPs you want to use locally to a loopback interface as /32s. Then use another 198.18.x.x/30 to route the /29 to the LAB SRX behind the PA. Advantages: you don't have use the publics for routing, can put a suballocation for third party devices on a DMZ interface, can send suballocations to different routers behind the PA, and can pick off individual IPs to use on the PA. Disadvantages: if your DMZ is already using IPs scattered across a fixed /24 subnet, subdividing gets messy.

Thank you very much for the quick response to this. It provided extremely helpful steps in my troubleshooting process!


I ended up getting the Palo Alto Virtual Wire to work out in this scenario so I didn't have to set up too many routes. 

 

But again, thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!