GCP: Define service route using dataplane interface with DHCP

GCP: Define service route using dataplane interface with DHCP

3525
Created On 03/18/20 22:01 PM - Last Modified 04/04/20 00:04 AM


Symptom
  • Running a VM series in the Google cloud Platform. The management interface is on its own network from the data network. Want to setup LDAP authentication, However the domain controllers are available on the data plane not the management plane.  
  • When we go into Service Routes to select the data plane it's not showing any interface. Need to route LDAP auth out of the data plane interface.


Environment
  • Platform: PAN-OS
  • Deployment: VM-Series


Cause
  • Interfaces that are configured as DHCP cannot be used directly for service routes. You can leverage the use of a loopback interface to go around this limitation.


Resolution
  • Can set dataplane interface to use static IP address that corresponds to “reserved static IP” assigned to interface in GCP
  1. Loopback IP cannot be the same as the interface IP (if they are in the same virtual router)
  2. This means that a NAT rule will have to be configured to source nat the traffic from the loopback to one of the interface IPs
  3. Configure loopback interface in zone L3-Untrust (same interface/zone that connects to the internet)
User-added image
  1. Change service route for Palo Alto Networks Services to use this loopback.
User-added image
  1. Create NAT rule to make sure that the source IP of the traffic from the loopback IP gets changed to the IP of eth1/1 when it goes out to the untrust interface
User-added image
  1. If you instead put the loopback interface in the trust zone then make sure there is a security rule allowing this traffic and make sure the traffic hits the correct source translation rule to be able to go out.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP9uCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments