Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Policy Based Forwarding

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Policy Based Forwarding

L1 Bithead

Hi All,

 

I have a  guest wifi vlan 10.25.x.x that needs to be routed out to a second ISP.  

 

AP-->WLC--Palo Alto FW-->MPLS/VPLS-Router-->L3Switch-->ISP

 

The vlan will each have a sub-interface and gateway 10.25.x.1 assigned on firewall in its own guest zone and virtual router. 

The virtual router will have a default gateway 0.0.0.0 to a next hop  10.25.x.2 layer 3 switch SVI where ISP is connected.

Nat will be performed on the L3 switch,  10.25.x.x addresses pool to a public IP before routing out to internet.

 

1) Will the policy based forwarding work  ?

 

2) I assume I can forward the same traffic out the same sub-interfaces ?

 

3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view  ?

 

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello there.

 

So there are 2 ways to perform what want to do.

 

2 ISPs = 2 virtual routers, which is a single default gateway/route per virtual router.

 

1) Willthe policy based routing work in this scenarios ?

PBF is used to SUPERSEDE the routing table, to ignore it.. and follow the PBF rules.

So... if you only have a single virtual router, then you would need a PBF rule, to tell the guest wireless to ignore the existing default gateway.

If you have 2 virtual routers, then the "guest wireless virtual router" would be different that your "corporate network" and because of this, NO need to use PBF.  You would WANT your guests to get an address with a dg of 10.25.x.1, whose on default gateway is 10.25.x.2... 

 

2) I assume I can forward the same traffic out the same sub-interfaces ?

Yes, you can route whatever traffic you want, and engineer the firewall do to your bidding.  😛

 

 

3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?

Perfectly acceptable to use to use security policies and NAT policies on your FW.

Now, are you planning to use SrcNAT or DestNAT (you did not state the specifics)

 

Remember that security polices for DNAT rules follow "Pre/Post/Pre" or PreNat SRC Zone,  POST Nat DestZone, PRENAT Public IP (because we do not NAT until AFTER the security policy approves the traffic is permitted)

 

Thanks

 

What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello there.

 

So there are 2 ways to perform what want to do.

 

2 ISPs = 2 virtual routers, which is a single default gateway/route per virtual router.

 

1) Willthe policy based routing work in this scenarios ?

PBF is used to SUPERSEDE the routing table, to ignore it.. and follow the PBF rules.

So... if you only have a single virtual router, then you would need a PBF rule, to tell the guest wireless to ignore the existing default gateway.

If you have 2 virtual routers, then the "guest wireless virtual router" would be different that your "corporate network" and because of this, NO need to use PBF.  You would WANT your guests to get an address with a dg of 10.25.x.1, whose on default gateway is 10.25.x.2... 

 

2) I assume I can forward the same traffic out the same sub-interfaces ?

Yes, you can route whatever traffic you want, and engineer the firewall do to your bidding.  😛

 

 

3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?

Perfectly acceptable to use to use security policies and NAT policies on your FW.

Now, are you planning to use SrcNAT or DestNAT (you did not state the specifics)

 

Remember that security polices for DNAT rules follow "Pre/Post/Pre" or PreNat SRC Zone,  POST Nat DestZone, PRENAT Public IP (because we do not NAT until AFTER the security policy approves the traffic is permitted)

 

Thanks

 

What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions

Hello Steve,

 

Many thanks for reply.

 

 

 

 

 

  • 1 accepted solution
  • 2716 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!