Question Regarding Rule Processing Behavour with Multiple Virtual Routers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question Regarding Rule Processing Behavour with Multiple Virtual Routers

L3 Networker

So I have a few virtual routers on my PA 4200.

I have one VR that every packet touches more or less before it gets sent on its way. Every Interface has its own zone.

So,

  • a packet comes into the main VR (VR1). A route is found, NAT rules are processed (none found) and a security rule is hit, packet is allowed through and a (firewall) session is created.
  • The route found pushes the packet to another VR (VR2).
  • The packet arrives at VR2.

Do I need an entirely new rule for this new VR? I think I do right?

OR

Has the packet already been allowed 'into' the firewall and from this point in its in fasttrack/fastpath mode as far as rules are concerned and all that applies from now on is NAT and routing?

thanks

1 accepted solution

Accepted Solutions

L7 Applicator

Hello,

No, you don't need a second rule. At the point it egresses the interface in VR1 (even if a virtual egress) all decision-making policy has been done and the firewall is just running through the route table to send it on its way. A second rule at this point wouldn't even be processed as the security policy has already been evaluated.

There is a time you may need a second rule, and that is if you were sending it to a new virtual system. A different virtual system is effectively a completely different firewall and thus would need separately defined interfaces, zones and policies.

Hope this helps!

Greg Wesson

View solution in original post

4 REPLIES 4

L7 Applicator

Hello,

No, you don't need a second rule. At the point it egresses the interface in VR1 (even if a virtual egress) all decision-making policy has been done and the firewall is just running through the route table to send it on its way. A second rule at this point wouldn't even be processed as the security policy has already been evaluated.

There is a time you may need a second rule, and that is if you were sending it to a new virtual system. A different virtual system is effectively a completely different firewall and thus would need separately defined interfaces, zones and policies.

Hope this helps!

Greg Wesson

Great, thats what I thought,

thanks very much for the reply!!

L0 Member

in case we have something like this :

outside (ZONE A)   ----> eth0 [ vrouter 1] eth2 (ZONE B) ---->switch ----> (ZONE B) eth3 [ vrouter2]  eth4 (ZONE C) ----> server

(this on a PA500 platform)

what if we are leaving the first router using eth2 and enter again the second router. would this also be handled it the same way ?

i would say that when packet arives in eth3 it would create a new session  for zone between eth3 and 4?

the

Hi Luc,

You are correct. When it egresses outside the firewall, if it comes back in at any point on a different interface it will need to be processed again. The session details will have changed (different source and destination zones) so that will need to be evaluated in the security policy.

Regards,

Greg Wesson

  • 1 accepted solution
  • 2637 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!