GWLB deployment challenge

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GWLB deployment challenge

L3 Networker

Dear Team,

 

I need a suggestion before going for deployment on GWLB with PA series.

 

Requirement:

 

2 PA VM series in aws behind GWLB, say PA 01 and PA 02,

 

I want to configure IPsec with Site A but only with PA 01 and Tunnel with Site B only with PA 02.

 

is there a way to achieve this, if yes then what will be the outbound flow from inside VPC to Site A.

 

I am attaching a diagram to explain what i want to achieve.

 

Also If i will be configuring same IPsec on both the PA series and if traffic is intended only for Site A the GWLB will forward it to both PA and it will result in packet drop ?

 

Please suggest.

 

1 REPLY 1

Hi @Doyenadmin ,

 

Q: Also If i will be configuring same IPsec on both the PA series and if traffic is intended only for Site A the GWLB will forward it to both PA and it will result in packet drop ?

A: I believe that is correct. GWLB will send traffic to PAN FWs in round robin, so it may send traffic for tunnelA to PA02, which will effectively droppe it (or route it in clear following default route to IGW).

 

Better option would be to build tunnels to A and B from PA01 and PA02 (PA01 will have two tunnels, one to A and one to B, same will be for PA02). You will need to apply source NAT when traffic is sent over the tunnel to remote site can route traffic back to the correct firewall and keep session on the same memer.

 

If you really want to achieve what you want. In my humble opinion the only way would be to use additional interface on each firewall.

1. Create additional interface on each firewall

2. Create specific route in the routing table for each TGW attachment, for tunnelA subnet, pointing to PA01 new network interface (ENI)

3. Create specifc route in the routing table for each TGW attachment, for tunnelB subnet, pointing to PA02 new network interface (ENI)

4. Create routing table for the new ENIs with default poining to TGW (for the return traffic)

 

Note that you will need EC2 type that support at least 4 nics - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-performance-capacity/vm-series-performance...
(one mgmt, one GWLB, one IGW and one for the tunnel traffic.

  • 950 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!