07-29-2014 06:29 AM
Remote site has a PA-200
HQ has a PA-2020.
I have the VPN setup between the two so that they are connected to each other.
I need the internet traffic from the remote site to pass through our content filter that is connected to the PA-2020 at the HQ.
the content filter is not seen by any devices, it is transparent to all devices
Traffic flow from a laptop at the remote site to the internet would look like this:
Laptop --> PA-200 -----VPN----> PA-2020 (HQ) ----> content filter (transparent) ----> HQ core switch ------> content filter (transparent) ----> PA-2020 (HQ) ----> internet
Does that make sense?
Thanks for any assistance.
Matt
07-29-2014 07:31 AM
Hello Matt,
It looks good to me. Since, traffic traversing through PAN firewall twice, we may need to perform a source NAT for this traffic at HQ core switch. A source NAT with ensuring the symmetric return of the traffic through the HQ core switch.
As per my understanding, your traffic is flowing like above mentioned diagram. The green line is for return traffic from internet. So, only a source NAT in your HQ core switch can ensure the return traffic to go back to HQ core through content filter. Otherwise, if you perform NAT on PAN firewall, return traffic will not travese through HQ core and content filter, since PAN firewall will identify the direct route to reach remote user's subnet through VPN tunnel.
Hope this helps.
Thanks
08-05-2014 10:59 AM
Thanks.
The internet traffic is not hitting the core switch, only the internal traffic.
Do I need to adjust my route table on the remove VPN to direct traffic to the core switch ip instead of the PA-2020?
I am going to try this to see what it does...but I don't think it will work.
What if I had another device on the other side of the core switch?
a vpn concentrator, or even another PA box.
Would it be possible to simply NAT (bi-directional) the VPN traffic from public ip on PA-2020 to internal ip of other device?
remote site PA-200 public ip ----> PA-2020 public IP ----> (NAT) -----> PA-200 internal ip
then, internet traffic would go out via the core, pass through the content filter, and then back in...
Thanks again.
matt
08-05-2014 12:15 PM
or...
how do I setup the PA200 split traffic...
internal, 10.x.x.x via the VPN
internet, 0.0.0.0 except 10.x, via the internet connection?
tried two routes, but they didn't split the traffic, everything still going over the vpn...unless I didn't get the right combination of interface/route/next hop/etc.
08-05-2014 12:36 PM
You need to configure a specific route through VPN tunnel ( based on destination) and a default route for all internet traffic. The PAN firewall will search for a longer match first ( through the tinnel).
Thanks
08-08-2014 12:21 PM
I was able to get this to work, the traffic split between VPN and local internet access...realized I was using the wrong next hop address for my internet traffic
08-08-2014 12:31 PM
Thank for the update. 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
