Two WAN Ports on one Switch. Split of physical VPN and Internet port.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Two WAN Ports on one Switch. Split of physical VPN and Internet port.

L0 Member

Hello,

I hope theres someone here who´s more capeable than me for my problem 🙂
I searched the forum and the documentations for quite a while but  i cant figure it out.

Current Situation:

All incoming traffic gets sourced through port eth1/7 with the zone 'Untrust' and all other IPs ( XXX/29) provided from our ISP are handled via loopbacks also situated in 'Untrust'. 

 

Final Setup:
We try to split now GlobalProtect and Ike gateways on a different physical cable eth1/2 zone: 'VPN-Gate'. Both ports are on the same switch in the same VLAN called 'WAN' as the ISPs connection is as well.

The second we activated the physical cable connection eth1/2 some of our incoming webtraffic was sorted into the new zone ' VPN-Gate' instead in the usual 'Untrust' zone. 

Configwise theres just the IP of the physical interface and the GlobalProtect-Gateway IP as loopback in the Zone 'VPN-Gate'. All other IPs are bound to 'Untrust'.

Why does the palo decide that some of the traffic ment for an IP, not bound to the 'VPN-Gate' Zone needs to be sorted into 'VPN-Gate'.  

Si vis pacem para bellum
2 REPLIES 2

Cyber Elite
Cyber Elite

@AndreGoebel,

The switch is sending some of the traffic to the interface that you aren't expecting. You may need to setup actual routes on your switch to ensure that traffic you expect on ethernet1/7 doesn't present itself on ethernet1/2.

Thank you for your input.
I did not consider our switch as point of failure. As the switch we are using right now, is a layer 2 switch, routing wont be an option at this moment.
So i might be stuck with the one cable solution for now.

Si vis pacem para bellum
  • 831 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!