- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-08-2013 08:45 AM
So I have a few virtual routers on my PA 4200.
I have one VR that every packet touches more or less before it gets sent on its way. Every Interface has its own zone.
So,
Do I need an entirely new rule for this new VR? I think I do right?
OR
Has the packet already been allowed 'into' the firewall and from this point in its in fasttrack/fastpath mode as far as rules are concerned and all that applies from now on is NAT and routing?
thanks
01-08-2013 09:23 AM
Hello,
No, you don't need a second rule. At the point it egresses the interface in VR1 (even if a virtual egress) all decision-making policy has been done and the firewall is just running through the route table to send it on its way. A second rule at this point wouldn't even be processed as the security policy has already been evaluated.
There is a time you may need a second rule, and that is if you were sending it to a new virtual system. A different virtual system is effectively a completely different firewall and thus would need separately defined interfaces, zones and policies.
Hope this helps!
Greg Wesson
01-08-2013 09:23 AM
Hello,
No, you don't need a second rule. At the point it egresses the interface in VR1 (even if a virtual egress) all decision-making policy has been done and the firewall is just running through the route table to send it on its way. A second rule at this point wouldn't even be processed as the security policy has already been evaluated.
There is a time you may need a second rule, and that is if you were sending it to a new virtual system. A different virtual system is effectively a completely different firewall and thus would need separately defined interfaces, zones and policies.
Hope this helps!
Greg Wesson
01-08-2013 09:26 AM
Great, thats what I thought,
thanks very much for the reply!!
01-08-2013 09:39 AM
in case we have something like this :
outside (ZONE A) ----> eth0 [ vrouter 1] eth2 (ZONE B) ---->switch ----> (ZONE B) eth3 [ vrouter2] eth4 (ZONE C) ----> server
(this on a PA500 platform)
what if we are leaving the first router using eth2 and enter again the second router. would this also be handled it the same way ?
i would say that when packet arives in eth3 it would create a new session for zone between eth3 and 4?
the
01-08-2013 09:51 AM
Hi Luc,
You are correct. When it egresses outside the firewall, if it comes back in at any point on a different interface it will need to be processed again. The session details will have changed (different source and destination zones) so that will need to be evaluated in the security policy.
Regards,
Greg Wesson
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!