Solved

Palo Alto - Route traffic through a different gateway

Posted on 2014-09-22
12
1,278 Views
Last Modified: 2014-11-18
I have a PA-500. I want to do a simple task but it seems difficult.
I want to have all traffic to one particular IP address routed to an IP address which is not the default gateway.
I have tried a static route in my virtual router but it is not working.
Is there any other config required?
0
Comment
Question by:nealerocks
12 Comments
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40336139
Search documentation for Policy-based forwarding.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40336185
Tried that. Static route seems like a better idea. Its pretty easy to do on other devices.
0
 
LVL 11

Expert Comment

by:Ganesh Kumar A
ID: 40336266
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.

You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router. You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 12

Author Comment

by:nealerocks
ID: 40336284
I have an interface with an IP address and I have configured a virtual router. I have configured a static route in my virtual router and it is not working.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337098
I would advise against using PBF for this as it would probably cause unneeded CPU cycles. It is however a good last ditch effort as the PBF table will ALWAYS take priority over the virtual routers.

How many VR's do you have? Does this specific address overlap with any other routes? And you configured the ip in the format of x.x.x.x/32 in the route, correct?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337108
I can also confirm this is generally a super simple process on the PAN firewalls. I have around 30 clients with them and do this routinely.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40337941
It is usually super simple with other devices for me.
I only have one VR. The address I am trying to forward traffic to is on the same subnet as the LAN.
eg. Lan address is 192.168.0.0/24 I want all traffic going to 10.0.0.250/24 to be forwarded to another router which has the address of 192.168.0.250

I am using the x.x.x.x/32 format. Have tried static route with and without using the LAN interface.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40338199
So your VR static route has a destination of 10.0.0.250/24 with next hop 192.168.0.250.

What specifically does not work after you add this? Does traffic just not flow?

A thing worth noting is if you have an Explicit Deny rule at the end of your ACL, intra-zone traffic will be denied by default. E.g. traffic coming from the internal zone and going to the internal zone will be denied. I bring this up because your internal zone which has the network 192.168.0.0/24 contains the next hop of 192.168.0.250. So to allow this traffic to flow properly, you would need to create a new policy with source and destination zones both being your internal zone.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40338235
Yeah the static route is configured in that way. I will check the firewall now.
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 0 total points
ID: 40338323
The PA was configured correctly. The device at the other end was the issue. Thanks for the assistance.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40338327
No problem. Great to hear it is working!
0
 
LVL 12

Author Closing Comment

by:nealerocks
ID: 40449393
The problem was not on the PA but elsewhere on the network.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question