Solved

Palo Alto - Route traffic through a different gateway

Posted on 2014-09-22
12
1,341 Views
Last Modified: 2014-11-18
I have a PA-500. I want to do a simple task but it seems difficult.
I want to have all traffic to one particular IP address routed to an IP address which is not the default gateway.
I have tried a static route in my virtual router but it is not working.
Is there any other config required?
0
Comment
Question by:nealerocks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40336139
Search documentation for Policy-based forwarding.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40336185
Tried that. Static route seems like a better idea. Its pretty easy to do on other devices.
0
 
LVL 12

Expert Comment

by:Ganesh Kumar A
ID: 40336266
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.

You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router. You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 12

Author Comment

by:nealerocks
ID: 40336284
I have an interface with an IP address and I have configured a virtual router. I have configured a static route in my virtual router and it is not working.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337098
I would advise against using PBF for this as it would probably cause unneeded CPU cycles. It is however a good last ditch effort as the PBF table will ALWAYS take priority over the virtual routers.

How many VR's do you have? Does this specific address overlap with any other routes? And you configured the ip in the format of x.x.x.x/32 in the route, correct?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337108
I can also confirm this is generally a super simple process on the PAN firewalls. I have around 30 clients with them and do this routinely.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40337941
It is usually super simple with other devices for me.
I only have one VR. The address I am trying to forward traffic to is on the same subnet as the LAN.
eg. Lan address is 192.168.0.0/24 I want all traffic going to 10.0.0.250/24 to be forwarded to another router which has the address of 192.168.0.250

I am using the x.x.x.x/32 format. Have tried static route with and without using the LAN interface.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40338199
So your VR static route has a destination of 10.0.0.250/24 with next hop 192.168.0.250.

What specifically does not work after you add this? Does traffic just not flow?

A thing worth noting is if you have an Explicit Deny rule at the end of your ACL, intra-zone traffic will be denied by default. E.g. traffic coming from the internal zone and going to the internal zone will be denied. I bring this up because your internal zone which has the network 192.168.0.0/24 contains the next hop of 192.168.0.250. So to allow this traffic to flow properly, you would need to create a new policy with source and destination zones both being your internal zone.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40338235
Yeah the static route is configured in that way. I will check the firewall now.
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 0 total points
ID: 40338323
The PA was configured correctly. The device at the other end was the issue. Thanks for the assistance.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40338327
No problem. Great to hear it is working!
0
 
LVL 12

Author Closing Comment

by:nealerocks
ID: 40449393
The problem was not on the PA but elsewhere on the network.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question