This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GWLB deployment challenge

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GWLB deployment challenge

Doyenadmin
L3 Networker

‎11-27-2023 09:13 PM

Dear Team,

 

I need a suggestion before going for deployment on GWLB with PA series.

 

Requirement:

 

2 PA VM series in aws behind GWLB, say PA 01 and PA 02,

 

I want to configure IPsec with Site A but only with PA 01 and Tunnel with Site B only with PA 02.

 

is there a way to achieve this, if yes then what will be the outbound flow from inside VPC to Site A.

 

I am attaching a diagram to explain what i want to achieve.

 

Also If i will be configuring same IPsec on both the PA series and if traffic is intended only for Site A the GWLB will forward it to both PA and it will result in packet drop ?

 

Please suggest.

 

Preview file
44 KB
0 Likes Likes
1 REPLY 1

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎12-21-2023 03:35 AM

Hi @Doyenadmin ,

 

Q: Also If i will be configuring same IPsec on both the PA series and if traffic is intended only for Site A the GWLB will forward it to both PA and it will result in packet drop ?

A: I believe that is correct. GWLB will send traffic to PAN FWs in round robin, so it may send traffic for tunnelA to PA02, which will effectively droppe it (or route it in clear following default route to IGW).

 

Better option would be to build tunnels to A and B from PA01 and PA02 (PA01 will have two tunnels, one to A and one to B, same will be for PA02). You will need to apply source NAT when traffic is sent over the tunnel to remote site can route traffic back to the correct firewall and keep session on the same memer.

 

If you really want to achieve what you want. In my humble opinion the only way would be to use additional interface on each firewall.

1. Create additional interface on each firewall

2. Create specific route in the routing table for each TGW attachment, for tunnelA subnet, pointing to PA01 new network interface (ENI)

3. Create specifc route in the routing table for each TGW attachment, for tunnelB subnet, pointing to PA02 new network interface (ENI)

4. Create routing table for the new ENIs with default poining to TGW (for the return traffic)

 

Note that you will need EC2 type that support at least 4 nics - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-performance-capacity/vm-series-performance...
(one mgmt, one GWLB, one IGW and one for the tunnel traffic.

  • 677 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks