Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

Hello there.


So there are 2 ways to perform what want to do.


2 ISPs = 2 virtual routers, which is a single default gateway/route per virtual router.


1) Willthe policy based routing work in this scenarios ?

PBF is used to SUPERSEDE the routing table, to ignore it.. and follow the PBF rules.

So... if you only have a single virtual router, then you would need a PBF rule, to tell the guest wireless to ignore the existing default gateway.

If you have 2 virtual routers, then the "guest wireless virtual router" would be different that your "corporate network" and because of this, NO need to use PBF.  You would WANT your guests to get an address with a dg of 10.25.x.1, whose on default gateway is 10.25.x.2... 


2) I assume I can forward the same traffic out the same sub-interfaces ?

Yes, you can route whatever traffic you want, and engineer the firewall do to your bidding.  😛



3) Also if I performed the NAT on the Palo Alto before routing out to ISP over a private network is that acceptable from security point of view ?

Perfectly acceptable to use to use security policies and NAT policies on your FW.

Now, are you planning to use SrcNAT or DestNAT (you did not state the specifics)


Remember that security polices for DNAT rules follow "Pre/Post/Pre" or PreNat SRC Zone,  POST Nat DestZone, PRENAT Public IP (because we do not NAT until AFTER the security policy approves the traffic is permitted)




What other questions can we answer for you?

Help the community: Like helpful comments and mark solutions

View solution in original post

Who rated this post