03-11-2017 11:36 AM
Hi,
I have to configure Inter vsys Routing where the traffic has to leave the firewall fromone vsys and enter into another Vsys. I am not able to find any documention on this scenario. I have already configured and tested the communication between vsys that will not leave the firewall but stuck on where traffic should leave the firewall.
If I have a Internet Vsys and a Datacenter Vsys I will take a cable from Inet Vsys interface and connect to DC Vsys interface for physicall connectivity now the question is about routing do I need to configure static routing on both the vsys and I believe it wont be towards the VR's of each other then how the routes would be configured towards the physical interfaces ? and both the VR's will see all the routes of each other ?
Thanks
03-12-2017 03:56 AM - edited 03-12-2017 03:58 AM
Hi,
You can use a shared gateway as the shared interface as shared_untrust and created external zone as untrust zone for each vsys and make sure the visability use configured between the shared gateway and all the vsys.
The interesting part will be traffic from vsys1 to vsys2 you will see two sessions
session 1: trust-vsys1 to untrust (vsys1)
session 2: untrust (vsys2) to trust vsys2
If the traffic desintation is not vsys1 or vsys2. the session will trust-vsys1 to shared_untrust.
The down side of doing it this way is any intervsys traffic will handle ONLY by the data plane processors. The intervsys traffic will not be able to offload by the offloader. The data plane processors have very limited throughtput. (Depend on your appliance). That can cause the DP CPU to go to 100% and stay as long as the intervsys sessions are alive.
Check this link out, https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-packets-in-slow-path-fast...
You may want to have a deep dive with your SEs/Reseller too..
03-11-2017 11:50 PM
Hi,
Thanks for the informative link. My question is what is the benefit we get by Inter-VSYS Traffic That Must Leave the Firewall over Inter-VSYS Traffic That Remains Within the Firewall as far as I understood we will not have External zones between Vsys if we send the traffic out of firewall. Is there any other benefit to send the traffic out and back again
03-12-2017 03:56 AM - edited 03-12-2017 03:58 AM
Hi,
You can use a shared gateway as the shared interface as shared_untrust and created external zone as untrust zone for each vsys and make sure the visability use configured between the shared gateway and all the vsys.
The interesting part will be traffic from vsys1 to vsys2 you will see two sessions
session 1: trust-vsys1 to untrust (vsys1)
session 2: untrust (vsys2) to trust vsys2
If the traffic desintation is not vsys1 or vsys2. the session will trust-vsys1 to shared_untrust.
The down side of doing it this way is any intervsys traffic will handle ONLY by the data plane processors. The intervsys traffic will not be able to offload by the offloader. The data plane processors have very limited throughtput. (Depend on your appliance). That can cause the DP CPU to go to 100% and stay as long as the intervsys sessions are alive.
Check this link out, https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-packets-in-slow-path-fast...
You may want to have a deep dive with your SEs/Reseller too..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
