Quantcast
Channel: Network – Weberblog.net
Viewing all articles
Browse latest Browse all 254

Policy Based Forwarding on a Palo Alto with different Virtual Routers

$
0
0
Palo Alto PBF w different VRs featured image

This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used.

There are two documents from Palo Alto that give advises how to configure PBF.

I am using a PA-200 with PAN-OS 7.0.1. My lab is the following:

Palo Alto PBF with different VRs

(Note that, unlike Juniper ScreenOS, a zone is not tied to a virtual router. You actually can merge interfaces on different vrouters into the same zone. However, I prefer to configure an extra zone for each ISP to keep my security policies clearly separated.)

These are the configuration steps. See the descriptions under the screenshots for details:

Two virtual routers: default and untrust. The policy based forwarding configuration: Do not PBF private networks, but http/https to ethernet1/2. The "Forwarding" tab in detail. I am doing a source NAT for these connections. Of course, a security policy is needed, too. And a static route inside the untrust virtual router back to the default virtual router. This routes the client subnet back. The traffic log shows a few connections on ports 80/443 that egressed on interface 1/2 and were NATed.

Done.


Viewing all articles
Browse latest Browse all 254

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>