Solved

Palo Alto - Route traffic through a different gateway

Posted on 2014-09-22
12
1,146 Views
Last Modified: 2014-11-18
I have a PA-500. I want to do a simple task but it seems difficult.
I want to have all traffic to one particular IP address routed to an IP address which is not the default gateway.
I have tried a static route in my virtual router but it is not working.
Is there any other config required?
0
Comment
Question by:nealerocks
12 Comments
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 40336139
Search documentation for Policy-based forwarding.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40336185
Tried that. Static route seems like a better idea. Its pretty easy to do on other devices.
0
 
LVL 11

Expert Comment

by:Ganesh Kumar A
ID: 40336266
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.

You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router. You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 12

Author Comment

by:nealerocks
ID: 40336284
I have an interface with an IP address and I have configured a virtual router. I have configured a static route in my virtual router and it is not working.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337098
I would advise against using PBF for this as it would probably cause unneeded CPU cycles. It is however a good last ditch effort as the PBF table will ALWAYS take priority over the virtual routers.

How many VR's do you have? Does this specific address overlap with any other routes? And you configured the ip in the format of x.x.x.x/32 in the route, correct?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337108
I can also confirm this is generally a super simple process on the PAN firewalls. I have around 30 clients with them and do this routinely.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40337941
It is usually super simple with other devices for me.
I only have one VR. The address I am trying to forward traffic to is on the same subnet as the LAN.
eg. Lan address is 192.168.0.0/24 I want all traffic going to 10.0.0.250/24 to be forwarded to another router which has the address of 192.168.0.250

I am using the x.x.x.x/32 format. Have tried static route with and without using the LAN interface.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40338199
So your VR static route has a destination of 10.0.0.250/24 with next hop 192.168.0.250.

What specifically does not work after you add this? Does traffic just not flow?

A thing worth noting is if you have an Explicit Deny rule at the end of your ACL, intra-zone traffic will be denied by default. E.g. traffic coming from the internal zone and going to the internal zone will be denied. I bring this up because your internal zone which has the network 192.168.0.0/24 contains the next hop of 192.168.0.250. So to allow this traffic to flow properly, you would need to create a new policy with source and destination zones both being your internal zone.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40338235
Yeah the static route is configured in that way. I will check the firewall now.
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 0 total points
ID: 40338323
The PA was configured correctly. The device at the other end was the issue. Thanks for the assistance.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40338327
No problem. Great to hear it is working!
0
 
LVL 12

Author Closing Comment

by:nealerocks
ID: 40449393
The problem was not on the PA but elsewhere on the network.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 100
Multiple times a day Computer loses internet connection 17 87
CISCO Smartnet agreement 5 36
Sonicwall SHA issue 4 28
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question