I have a single HPE 5400 that links to a PA-820. I have an untagged p2p VLAN on a Layer3 interface on the PA. I use this as the "MGMT/LAN" side. The HPE is doing routing for internal networks.
To add another VLAN, I tagged that same port on the switch, and I add a sub-interface on the PA with the appropriate tag.
So, the uplink between the switch and the PA is untagged VLAN 253 (MGMT/LAN), and tagged VLAN 201 (DMZ). [I've also tried removing the IP settings from the parent interface and adding two sub interfaces for VLAN 253/201]
My issue is when the DMZ(201) traffic flows up to the switch it is exiting the default route and the VLAN tag is stripped. This is causing the PA to classify the zone as LAN and dropping the traffic. This is despite my routing table on both the PA and the HPE show that the appropriate route is VLAN connected.
If I have an client device with the gateway set as the PA, the traffic flows as normal all the way to the internet.
I have some wireless controllers that have multiple interfaces on them. You can't specify a gateway per interface. So if I route-ping from the DMZ interface on the controller it is going to hit the default router of the controller. That is the HPE. So, the traffic is pushed to the HPE, then the HPE should route appropriately. I'm not sure why the PA is treating the traffic this way.
I have 3 other firewalls in my lab, and they all function normally configured this way. Trunk port is untagged for the main MGMT interface, and tagged for the VLANs I want to pass up.
To add: I know I can just move the controller to the same physical location and physically link the two removing this issue, but I shouldn't have to.
EDIT: The LAN/MGMT interface and the DMZ subInterface are in two separate zones.
Thanks in advance!
Sure, and some context. 192.168.253.1 is the PA LAN parent interface. B16 is the trunked port to the PA. VLAN 201 is the DMZ with a subInterface on the PA at 172.16.1.253.
ip route 0.0.0.0 0.0.0.0 192.168.253.1 ip route 10.10.10.0 255.255.255.0 192.168.1.2 ip route 172.16.0.0 255.255.255.0 172.16.0.1 name "Guest_Network" ip routing
And port config:
vlan 201 name "DMZ" tagged B16,C1-C8,C23 ip address 172.16.1.5 255.255.255.0 exit vlan 253 name "Palo LAN" untagged B16 ip address 192.168.253.2 255.255.255.252 exit
Destination Gateway VLAN Type Sub-Type Metric Dist. ------------------ --------------- ---- --------- ---------- ---------- ----- 0.0.0.0/0 192.168.253.1 253 static 1 1 18.104.22.168/32 lo1 connected 1 0 10.10.10.0/24 192.168.1.2 1 static 1 1 127.0.0.0/8 reject static 0 0 127.0.0.1/32 lo0 connected 1 0 172.16.0.0/24 Guest 300 connected 1 0 172.16.1.0/24 DMZ 201 connected 1 0 192.168.1.0/24 DEFAULT_VLAN 1 connected 1 0 192.168.2.0/24 Wireless 2 connected 1 0 192.168.4.0/30 VLAN400 400 connected 1 0 192.168.199.0/24 MGMT 199 connected 1 0 192.168.253.0/30 Palo LAN 253 connected 1 0 192.168.254.0/24 FG LAN 254 connected 1 0
This really seems like it's an issue with the 5400, but the configuration looks fine to me and I don't see any obvious issues with what you have posted. If the VLAN tag is not present, the firewall rightfully isn't going to get the traffic assigned to the proper zone and your security rulebase entries aren't going to match any of the traffic.
You might want to reach out to HPE and see why the 5400 is stripping out the VLAN tag; I'm guessing that its something config related.
The config may be wrong, but only in the sense that it is not configured the way a PA likes it versus another vendor. This is how I configure Fortigates, Sonicwalls, and Cisco ASRs when passing traffic from a HPE.
I really think it has something to do with the default route. I mean, regardless of vendor, you have to have a default route, correct? So all unknown traffic is going to hit that internal parent interface. Since the route is VLAN connected it should be passing that tag up. It just seems like it's the PA not handling it correctly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!