Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Palo Alto - Route traffic through a different gateway

Posted on 2014-09-22
12
1,220 Views
Last Modified: 2014-11-18
I have a PA-500. I want to do a simple task but it seems difficult.
I want to have all traffic to one particular IP address routed to an IP address which is not the default gateway.
I have tried a static route in my virtual router but it is not working.
Is there any other config required?
0
Comment
Question by:nealerocks
12 Comments
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40336139
Search documentation for Policy-based forwarding.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40336185
Tried that. Static route seems like a better idea. Its pretty easy to do on other devices.
0
 
LVL 11

Expert Comment

by:Ganesh Kumar A
ID: 40336266
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing is required.

You must assign an IP address to each physical Layer 3 interface you configure. You can also create logical subinterfaces for each physical Layer 3 interface that allows you to segregate the traffic on the interface based on VLAN tag (when VLAN trunking is in use) or by IP address, for example for multi-tenancy.

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router. You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 12

Author Comment

by:nealerocks
ID: 40336284
I have an interface with an IP address and I have configured a virtual router. I have configured a static route in my virtual router and it is not working.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337098
I would advise against using PBF for this as it would probably cause unneeded CPU cycles. It is however a good last ditch effort as the PBF table will ALWAYS take priority over the virtual routers.

How many VR's do you have? Does this specific address overlap with any other routes? And you configured the ip in the format of x.x.x.x/32 in the route, correct?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40337108
I can also confirm this is generally a super simple process on the PAN firewalls. I have around 30 clients with them and do this routinely.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40337941
It is usually super simple with other devices for me.
I only have one VR. The address I am trying to forward traffic to is on the same subnet as the LAN.
eg. Lan address is 192.168.0.0/24 I want all traffic going to 10.0.0.250/24 to be forwarded to another router which has the address of 192.168.0.250

I am using the x.x.x.x/32 format. Have tried static route with and without using the LAN interface.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40338199
So your VR static route has a destination of 10.0.0.250/24 with next hop 192.168.0.250.

What specifically does not work after you add this? Does traffic just not flow?

A thing worth noting is if you have an Explicit Deny rule at the end of your ACL, intra-zone traffic will be denied by default. E.g. traffic coming from the internal zone and going to the internal zone will be denied. I bring this up because your internal zone which has the network 192.168.0.0/24 contains the next hop of 192.168.0.250. So to allow this traffic to flow properly, you would need to create a new policy with source and destination zones both being your internal zone.
0
 
LVL 12

Author Comment

by:nealerocks
ID: 40338235
Yeah the static route is configured in that way. I will check the firewall now.
0
 
LVL 12

Accepted Solution

by:
nealerocks earned 0 total points
ID: 40338323
The PA was configured correctly. The device at the other end was the issue. Thanks for the assistance.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40338327
No problem. Great to hear it is working!
0
 
LVL 12

Author Closing Comment

by:nealerocks
ID: 40449393
The problem was not on the PA but elsewhere on the network.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What To Do With Surplus Rack Server, Controller and Switches? 13 64
md5 password 3 75
Cisco ASA blocks some https sites. 27 43
Netgear modem router default firmware 11 32
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Read about achieving the basic levels of HRIS security in the workplace.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question