04-27-2024 10:22 PM
Short description of the situation: We run several vSys on one physical firewall and each vSys has its own virtual router. We have a star topology, so there is one special vSys in the middle of all traffic (let's call it vCE - like Central), and all traffic must go through it. Let's call other vSys vA, vB , vC and so on. If traffic wants to go from, for example, vA to vB, we routed it this way vA -> vCE -> vB with static routes in particular virtual routers. Also 3 security rules needed to be configured all the time. And this is intended like this.
Situation before the change: Traffic between firewalls was passing through Layer3 zones and physical interfaces outside of firewall to our switching/routing infrastructure and then returning back to other vSys.
What we did: External security zones were configured (one for each vSys) and traffic was re-routed through external zones instead of next-hop IPs.
Issue: Couple of days after the configuration change we figured out that if the traffic is flowing vA -> vCE -> vB, we don't see the logs on vCE. Also security policy that is configured on vCE is bypassed. Still, the (static) routing has the same topology and should send the traffic through the vCE. The traffic works. But it can't stay like this because it violates our star-topology design.
Any ideas why is it like this and how this can be fixed?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
