02-18-2021 10:57 AM
Hello there.
So there are 2 ways to perform what want to do.
2 ISPs = 2 virtual routers, which is a single default gateway/route per virtual router.
1) Willthe policy based routing work in this scenarios ?
PBF is used to SUPERSEDE the routing table, to ignore it.. and follow the PBF rules.
So... if you only have a single virtual router, then you would need a PBF rule, to tell the guest wireless to ignore the existing default gateway.
If you have 2 virtual routers, then the "guest wireless virtual router" would be different that your "corporate network" and because of this, NO need to use PBF. You would WANT your guests to get an address with a dg of 10.25.x.1, whose on default gateway is 10.25.x.2...
2) I assume I can forward the same traffic out the same sub-interfaces ?
Yes, you can route whatever traffic you want, and engineer the firewall do to your bidding. 😛
3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?
Perfectly acceptable to use to use security policies and NAT policies on your FW.
Now, are you planning to use SrcNAT or DestNAT (you did not state the specifics)
Remember that security polices for DNAT rules follow "Pre/Post/Pre" or PreNat SRC Zone, POST Nat DestZone, PRENAT Public IP (because we do not NAT until AFTER the security policy approves the traffic is permitted)
Thanks
What other questions can we answer for you?
