10-13-2016 01:25 AM - edited 10-13-2016 01:36 AM
Hello Experts
I was just wondering how firewall session is created for inter-vr communication. I have scenario like this:
Interface eth1/1 (Trust-VR) Trust Zone ---LAN (10.10.10.0/24)
Interface eth1/2 (Untrust-VR) Untrust Zone ---INTERNET
In Trust-VR, I have 0/0 default route towards Untrust-VR, I have created the security policy between Trust to Untrust Zone to allow the communication. My question is, firewall will create the session in which VR? I mean for reverse traffic where the route lookup for 10.10.10.0/24 will happen? In Trust-VR or Untrust-VR?
In case Trust-R then no need for reverse route for 10.10.10.0/24 in Untrust-VR next-hop Trust-VR?
Thanks
10-22-2016 11:47 AM
10-13-2016 02:11 AM
Hi,
the session is create on the firewall not in the VR.
Why do you use two VR?
And the Untrust-VR you need an Static Route back to the Trust-VR (10.10.10.0/24)
10-14-2016 05:17 AM
Thanks dear. Actually I have the scenario like in firewall I have two VR, VR-1 for one customer-1 and VR-2 for other customer. Both have same subnets (overlapping subnets) but going to internet from global table (trust-vr) interface (connected to internet router and doing the NAT). In Juniper SRX, the session is bind to VR. So if traffic is going from VR-1 to global table then reverse route lookup happens in VR-1 and global table does not need to have reverse static routes for VR-1 and VR-2. It seems Palo Alto firewall session is not bind to any VR.
Since VR-1 and VR-2 sharing same subnets. How can I define the reverse static routes in trust-vr for VR-1 and VR-2. Should I enable symmatric retrun? or any other solution
10-22-2016 07:22 AM - edited 10-22-2016 07:24 AM
10-22-2016 11:47 AM
10-22-2016 01:38 PM
Thank you @reaper. I justed tested quickly. So if my topology is like LAN -> PA -> Internet. Now if traffic has to pass through AV system or transparent proxy (also directly connected to PA) using Filter based forwarding. Traffic will pass like this:
LAN -> PA -> AV System -> PA -> Internet (Outdoing Traffic)
Interenet -> PA -> LAN (return traffic)
This will cause Aysmmetric routing. I cannot play with VR because as you said, session is not bind to VR. The only way I think of is, enable sysmmetric return in Internet interface and that worked like a charm ! The return traffic now taking the same path as outgoing traffic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
