Session Lookup for inter-virtual communication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Session Lookup for inter-virtual communication

L4 Transporter

Hello Experts

 

I was just wondering how firewall session is created for inter-vr communication. I have scenario like this:

 

Interface eth1/1 (Trust-VR) Trust Zone ---LAN (10.10.10.0/24)

Interface eth1/2 (Untrust-VR) Untrust Zone ---INTERNET

 

In Trust-VR, I have 0/0 default route towards Untrust-VR, I have created the security policy between Trust to Untrust Zone to allow the communication. My question is, firewall will create the session in which VR? I mean for reverse traffic where the route lookup for 10.10.10.0/24 will happen? In Trust-VR or Untrust-VR?

In case Trust-R then no need for reverse route for 10.10.10.0/24 in Untrust-VR next-hop Trust-VR?

 

Thanks

 

1 accepted solution

Accepted Solutions

In PAN-OS the sessions are created differently
Sessions exist inside a vsys (virtual system) and are created by the firewall independent of routing. route lookups are performed per flow direction, so in your example you need routes in both directions
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

L3 Networker

Hi, 

 

the session is create on the firewall not in the VR.

 

Why do you use two VR?

 

And the Untrust-VR you need an Static Route back to the Trust-VR (10.10.10.0/24)

Thanks dear. Actually I have the scenario like in firewall I have two VR,  VR-1 for one customer-1 and VR-2 for other customer. Both have same subnets (overlapping subnets) but going to internet from global table (trust-vr) interface (connected to internet router and doing the NAT). In Juniper SRX, the session is bind to VR. So if traffic is going from VR-1 to global table then reverse route lookup happens in VR-1 and global table does not need to have reverse static routes for VR-1 and VR-2. It seems Palo Alto firewall session is not bind to any VR. 

 

Since VR-1 and VR-2 sharing same subnets. How can I define the reverse static routes in trust-vr for VR-1 and VR-2. Should I enable symmatric retrun? or any other solution 

@reaper @pulukas

 

Could you please also look into this? Session is bind with virtual router or not?

In PAN-OS the sessions are created differently
Sessions exist inside a vsys (virtual system) and are created by the firewall independent of routing. route lookups are performed per flow direction, so in your example you need routes in both directions
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you @reaper. I justed tested quickly. So if my topology is like LAN -> PA -> Internet. Now if traffic has to pass through AV system or transparent proxy (also directly connected to PA) using Filter based forwarding. Traffic will pass like this:

LAN -> PA -> AV System -> PA -> Internet (Outdoing Traffic)

Interenet -> PA -> LAN (return traffic)

This will cause Aysmmetric routing. I cannot play with VR because as you said, session is not bind to VR. The only way I think of is, enable sysmmetric return in Internet interface and that worked like a charm ! The return traffic now taking the same path as outgoing traffic

  • 1 accepted solution
  • 3104 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!