GCP: Define service route using dataplane interface with DHCP
11590
Created On 03/18/20 22:01 PM - Last Modified 04/04/20 00:04 AM
Symptom
- Running a VM series in the Google cloud Platform. The management interface is on its own network from the data network. Want to setup LDAP authentication, However the domain controllers are available on the data plane not the management plane.
- When we go into Service Routes to select the data plane it's not showing any interface. Need to route LDAP auth out of the data plane interface.
Environment
- Platform: PAN-OS
- Deployment: VM-Series
Cause
- Interfaces that are configured as DHCP cannot be used directly for service routes. You can leverage the use of a loopback interface to go around this limitation.
Resolution
- Can set dataplane interface to use static IP address that corresponds to “reserved static IP” assigned to interface in GCP
- Configure a loopback interface for service route. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
- Loopback IP cannot be the same as the interface IP (if they are in the same virtual router)
- This means that a NAT rule will have to be configured to source nat the traffic from the loopback to one of the interface IPs
- Configure loopback interface in zone L3-Untrust (same interface/zone that connects to the internet)
- Change service route for Palo Alto Networks Services to use this loopback.
- Create NAT rule to make sure that the source IP of the traffic from the loopback IP gets changed to the IP of eth1/1 when it goes out to the untrust interface
- If you instead put the loopback interface in the trust zone then make sure there is a security rule allowing this traffic and make sure the traffic hits the correct source translation rule to be able to go out.