?
Solved

Palo Alto - Route traffic through a different gateway

Posted on 2014-09-22
12
Medium Priority
?
1,515 Views
Last Modified: 2014-11-18
I have a PA-500. I want to do a simple task but it seems difficult.
I want to have all traffic to one particular IP address routed to an IP address which is not the default gateway.
I have tried a static route in my virtual router but it is not working.
Is there any other config required?
0
Comment
Question by:nealerocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 30

Expert Comment

by:Predrag
ID: 40336139
Search documentation for Policy-based forwarding.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40336185
Tried that. Static route seems like a better idea. Its pretty easy to do on other devices.
0
 
LVL 12

Expert Comment

by:Ganesh Kumar A
ID: 40336266
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.

You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router. You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 12

Author Comment

by:nealerocks
ID: 40336284
I have an interface with an IP address and I have configured a virtual router. I have configured a static route in my virtual router and it is not working.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337098
I would advise against using PBF for this as it would probably cause unneeded CPU cycles. It is however a good last ditch effort as the PBF table will ALWAYS take priority over the virtual routers.

How many VR's do you have? Does this specific address overlap with any other routes? And you configured the ip in the format of x.x.x.x/32 in the route, correct?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337108
I can also confirm this is generally a super simple process on the PAN firewalls. I have around 30 clients with them and do this routinely.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40337941
It is usually super simple with other devices for me.
I only have one VR. The address I am trying to forward traffic to is on the same subnet as the LAN.
eg. Lan address is 192.168.0.0/24 I want all traffic going to 10.0.0.250/24 to be forwarded to another router which has the address of 192.168.0.250

I am using the x.x.x.x/32 format. Have tried static route with and without using the LAN interface.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 1500 total points
ID: 40338199
So your VR static route has a destination of 10.0.0.250/24 with next hop 192.168.0.250.

What specifically does not work after you add this? Does traffic just not flow?

A thing worth noting is if you have an Explicit Deny rule at the end of your ACL, intra-zone traffic will be denied by default. E.g. traffic coming from the internal zone and going to the internal zone will be denied. I bring this up because your internal zone which has the network 192.168.0.0/24 contains the next hop of 192.168.0.250. So to allow this traffic to flow properly, you would need to create a new policy with source and destination zones both being your internal zone.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40338235
Yeah the static route is configured in that way. I will check the firewall now.
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 0 total points
ID: 40338323
The PA was configured correctly. The device at the other end was the issue. Thanks for the assistance.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40338327
No problem. Great to hear it is working!
0
 
LVL 12

Author Closing Comment

by:nealerocks
ID: 40449393
The problem was not on the PA but elsewhere on the network.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question