06-25-2024 05:14 AM
Hello,
I hope theres someone here who´s more capeable than me for my problem 🙂
I searched the forum and the documentations for quite a while but i cant figure it out.
Current Situation:
All incoming traffic gets sourced through port eth1/7 with the zone 'Untrust' and all other IPs ( XXX/29) provided from our ISP are handled via loopbacks also situated in 'Untrust'.
Final Setup:
We try to split now GlobalProtect and Ike gateways on a different physical cable eth1/2 zone: 'VPN-Gate'. Both ports are on the same switch in the same VLAN called 'WAN' as the ISPs connection is as well.
The second we activated the physical cable connection eth1/2 some of our incoming webtraffic was sorted into the new zone ' VPN-Gate' instead in the usual 'Untrust' zone.
Configwise theres just the IP of the physical interface and the GlobalProtect-Gateway IP as loopback in the Zone 'VPN-Gate'. All other IPs are bound to 'Untrust'.
Why does the palo decide that some of the traffic ment for an IP, not bound to the 'VPN-Gate' Zone needs to be sorted into 'VPN-Gate'.
06-25-2024 01:22 PM
The switch is sending some of the traffic to the interface that you aren't expecting. You may need to setup actual routes on your switch to ensure that traffic you expect on ethernet1/7 doesn't present itself on ethernet1/2.
06-25-2024 11:09 PM
Thank you for your input.
I did not consider our switch as point of failure. As the switch we are using right now, is a layer 2 switch, routing wont be an option at this moment.
So i might be stuck with the one cable solution for now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
