How to Set Up Shared Gateway and Inter VSYS
Resolution
Overview
Palo Alto Networks supports multiple virtual systems and communications between virtual systems to allow for the flexibility needed in many organizations. For the purposes of this document, two example virtual systems reflect that of a typical telecommuter who needs separate virtual firewalls for both work and home but where both virtual systems share a single external ISP connection, otherwise referred to as a shared gateway. Setup for both scenarios will be covered to show the sharing of the external ISP connection across both virtual systems, as well as the steps necessary to allow the two internal virtual systems (WORK_192 and HOME_10) to communicate with each other.
Th purpose of this document is to show more of the tactical steps necessary to configure these features.
Logical Design:
Steps
Part 1: Virtual System and Shared Gateway Setup
- To begin, go to Device > Setup > General Settings and check to see if the Multi Virtual System Capability is enabled.
- The two internal interfaces ethernet1/2 (WORK_192) and ethernet1/3 (zone: HOME_10) should be configured into unique virtual systems. Do not put the external interface (ethernet1/1; zone: SHARED_UNTRUST) into a vsys as it will get setup as a shared gateway in step 4.
Note: Review the Logical Design in the Overview section for information on how the interfaces are configured for this document. - To define the virtual systems, in the Device tab select Virtual Systems. Be sure to make each vsys visible to the other by configuring the Visible Virtual Systems column. For example, vsys1 work should see vsys2 home and vice- versa.
- To add the Shared Gateway, select "Add" under Device > Shared Gateways and assign a name and ID. To add an interface to this, select the interface from Network > Interfaces and select the Shared Gateway from the Virtual System menu. In this example ethernet 1/1 is the external interface with an IP address from the ISP and would need to be set accordingly.
- Verify the interfaces are properly setup by going to the Network tab and selecting Interfaces.
Network > Interfaces
- Each interface will participate in the same virtual router, in this case named All-Routes. Placing all zones in the same virtual router does not allow for communications to/from the shared gateway and/or other virtual systems. This will be controlled by security policy and is covered in step 8 and the Part 2 section below.
Network > Virtual Router
A single default route to the next hop on the ISP is all that is set for the purposes of this document. If additional routes are needed, add them to this virtual router. Note that the Virtual Router is not a member of any Virtual System and is reflected in the third column in the screenshot above as none.
- Now create the external zones for the Home-to-Untrust and Work-to-Untrust zones by choosing Zones under the Network tab. These two external zones are for setting policy to allow or deny traffic from the internal zones (i.e. HOME_10 and WORK_192) to the SHARED_UNTRUST zone. They can be effectively looked at as transit zones to move traffic off the internal zone to an external zone, in this case, the shared gateway zone. It is important to set the type to External and also define the zone to which the communication path is being setup.
- When setting policy, build rules to allow traffic from the internal networks out to the shared gateway on the untrusted side of the firewall. This is where the Home-to-Untrust and Work-to- Untrust zones will come into play. In addition, NAT will need to be set on the Shared_External_GW virtual system that houses the SHARED_UNTRUST zone.
To set the policy, go to the Policy > Security Policy. Make sure to choose the virtual system where you are setting the policy.
- As mentioned above, NAT will be set only on the Shared_External_GW virtual system. To configure a hide NAT where all hosts in the WORK_192 and the HOME_10 zones will use the shared gateway external interface (i.e. the external ISP address tied to ethernet 1/1), go to NAT under the Policy tab. Make sure to choose the Shared_External_GW virtual system as this is where all NAT will be configured for this design. In this case, the source zone will be set to 'any' since the concept here is that all virtual systems will share this external gateway. The following is a simple hide NAT which source translates internal hosts to the external ISP IP address.
- To test, generate traffic from hosts in the WORK_192 and HOME_10 networks out to the Internet and observe the traffic in the traffic log (Monitor > Logs > Traffic)
Part 2: Inter-VSYS (Virtual System) Communication
The concept for inter-VSYS or communication between internal virtual systems is similar to that of the shared gateway setup. For those virtual systems that will need to communicate with each other, it is necessary to setup individual external zones then set policy to allow this traffic.
- For inter-VSYS, the HOME_10 zone needs to be able to reach the WORK_192 zone and vice versa. So two new external zones need to be setup, and then policy created to control traffic between zones. To set these zones up go to the Network tab and choose Zones.
A view of all zones for both shared gateway and inter-VSYS communication:
- When setting policy, build rules to allow traffic between the zones. This is where the Home-to- Work and Work-to-Home external zones will come into play. Traffic between hosts in these zones uses these external zones as the transit and thus need to be set in policy accordingly.
To set the policy, go to the Policy > Security Policy. Make sure to choose the virtual system where you are setting the policy.
- To test, generate traffic from hosts in the WORK_192 and HOME_10 networks to opposite zones and monitor the traffic log for activity (Monitor > Logs > Traffic).
owner: jhess