Virtual Router configuration in Palo Alto firewall | Static routes |Routing protocols

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello guys welcome back once again so this is the GUI offer Palo Alto firewall and today's topic is Virtual Router we will also learn that how to configure the static routes and we can also go through that how the routing protocols can be configured on the Palo Alto firewall so first let's try to understand that why exactly we need a Virtual Router and why routing is required so you know very well that whenever we are having any firewall by default it is having rules to deny or allow the traffic right so if the firewall has these rules let us suppose this is a firewall and it is having multiple interfaces on the different networks like this is 10.1.1. something this interface on the 200.1.1.1. something the third interface could be like uh 100.1.1.1.something right now we are having a firewall policy to allow or deny the traffic on this one that this interface to this interface the traffic can be allow or deny but what about the routing right because this is one network and this is another Network so how this traffic can be forwarded from one interface to another interface this is really challenging this cannot be done without help of the router so it is using the same concept as we learned in the CCNA that only a router can forward the traffic from one network to another Network so that's why we will take the help of our router to forward the traffic from one interface or one network to another Network right so if you go to the firewall let's go to the network interfaces if you go to the options if you let's select one of the interface here and let's see what are the options available in the interface type so if I selected interface type here you will observe that there are multiple options the first option is like tap another one is actually next is virtual wire this might three interfaces might be new to you I will cover up in the upcoming videos that what are they in the detail by taking the example of these configurations but uh these layer 2 and layer 3 you might be familiar right so whenever we talk about the layer 2 interface that is basically a switch and whenever we talk about the layer 3 interface that is basically a router so whenever we want to forward the traffic from one network to another Network we will configure the interface as a layer 3 interface all right and same time what we will do we will take the help of router so taking the help of this router we are having this option of virtual routers we can create virtual routers inside our firewall and then take the help of the similar functionalities as a normal router have and then our job is done we are happy with it so what fire uh Palo Alto firewall has done by default they have given us a default router if you go here in the virtual routers you see you are having an option of default right this is our default router and in the previous configuration I have assigned these interfaces to the same default router but what if you don't want to use this you bike because of the security constraint or some other issues you don't want to use this one right so in that case what you can do you can create a new Virtual Router here you can click add and you can give any name like router one all right and then you can assign interfaces you can add interfaces but as of now all the interfaces are used to it is does not have in the drop down right so what I'm going to do I am just creating it but not adding any of the interface okay so let me delete it here so I'm creating the router with the name router1 but I'm not assigning any of the interface in the this another instance of the Virtual Router of router one all right next thing what we'll do we will commit it but I'm not going to waste time in committing it let's understand the concept of this default so first time what I am going to do I have taken a lab setup here so I will try to Pink this I will login this user1 and try to Ping this router interface and then from this further once it is reachable this interface this one then we will try to Ping This Server so connectivity as similar IP addresses whatever I have labeled I have this configuration here so IP address configuration is already done now our Focus will be only towards the routing all right so let's just check the user one here I think user one IP address is not configured so I will configure it IP 172.16.1.1255.255.255.0 and the subnet is 172.16.1 Dot when I think I have taken the reverse let me cross Check Yes I have taken the reverse so this is our 10 IP address of the machine will be 10 and the default gateway will be 1.1 what I'm going to do now I am going to Ping this interface 172.16.2.10 all right currently all the interfaces just to remember all these interfaces 1.1 1.2 1 slash two one slash three all are on the default Virtual Router all right so I'm going to Pink this interface 1 72.16.2.10 let's do it 172 raw 16 Dot 2.10 so it is reachable there is no issue on this let's check the routing table of our firewall right so go to Palo Alto here we go the command is show routing route so if I go check the routing route here we see that there are three routes connected right the first one is 16.1.10 right so 1.1 so these are basically connected rows whenever we have a flag see here it means that they are connected and this is also giving a direct connectivity so it is giving an option of H that is basically tells us an host only flag so whenever we have an entry so this can be treated as a one combination right so similarly we are having information of 2.0 Network we are having the information of 3.0 Network all three are directly connected right connected connected and connected so if I go to [Music] upper upper topology here so all these interfaces are directly connected so that's why I am able to Ping them but there is no information about the network 192 168 1.00 if I try to Ping this interfaces or this network or we can say This Server it will not be reachable because our routing instance of parallel Alto firewall does not have any information regarding this network so let me try to check it pink 192 168 one dot 100. it will not ping white will not ping because our Network don't have any information regarding that Network so our traffic comes as usual this is just a routing scenarios that our traffic is initiated from the user one it reaches to the firewall and from here it is confused that I don't have any information regarding 192 Network to which interface I should forward it it means that we should be having any routing table or routing root information here so there's multiple ways either we can configure a static route here or we can run a routing protocol to tell this information so as of now I'm going to configure a static route in order to tell the Palo Alto firewall that where is our basically 192 168 1.100 Network so for that how can I go I will go to this router default router I clicked it here I will go to the static routes and I will add an aesthetic route so name I'm giving like server one route destination so it can be a network or it can be a host so I'm giving going to give it as a network 192 168 one dot 0 24. all right interface I'm giving none so that's fine Next Top IP address Next Top IP address will be 192 168 no no sorry sorry sorry sorry 172.16.1 Dot 10 it should forward the traffic towards one dot sorry 2.10 I will have to change this it will forward the traffic towards 172.16.2.10 so this is very simple it's like if you have gone through the CCNA this is simple routing there's nothing firewall involved in this one only the thing is that GUI is of the parallel Alto firewall that's it the concept is as usual of the CCNA so combat is successful let's try to Ping now and here we go it is ritual right so that's how it is and in fact we can try to Ping 200 as well that was the IP address of the server that should also be reachable that's how it is now another concept at the same time if we try to Ping this interface 172.16.3.10 it will be reachable if I try to Ping 172.16.3.10 it will be reachable all right as usual although they are in a different Zone but I have configured a policy to allow this communication now what I'm going to do I am going to put this interface ethernet one slash three to the different Virtual Router currently they are in the default one slash three is in the default I am going to remove it from Once uh default and I will add it to the router 1. though all are added to the Virtual Router but what happens that the routing information of one Virtual Router is not shared with the another one so what happens in this case that the communication is not allowed so commit is successful let's check now and that's how it is it is not communication is stopped what if we add this two interfaces like ethernet one slash one and one slash three on the default router so that's what I'm going to do now I will delete one slash two as well I think it was one slash two one slash one so I will remove one slash one from here delete from the default one and add to this now this communication will be back again because and why it was happening that the routing information of one Virtual Router is not shared with the other one so this is like a security feature or we can say segregation of the traffic from one to another one or we can say like uh like any of the Virtual Router instance goes down so it does not impact the other routing Virtual Router instances like they will be running very fine like one of the Virtual Router instance is overloaded and that has stopped working so another will not be impacted so that's the benefit of like segregation of the traffic or we can also do it for the purpose of convenience that all the services are not going through the similar one so now the traffic will be allowed and here we can check the routing as well show routing route the command we will give and we can check the route that we have given this route 192 168 one slash zero here it is right that's fine our Focus was to Ping it I'm going to do that again and here we go we are back so that's what uh that's it about this virtual routers if you want to configure any of the routing protocols you can go to the virtual inside the virtual routers and then you can configure the rip ospf ospf V3 bgp if you are good in these protocols you can easily configure them there's nothing new on this one this is just uh routing and switching that's it but if you know it then only you can configure it if you don't know just put your hands away from it so that's it guys from the virtual routers and the routing part we will come up with more videos on the interface types that what are they basically one by one and take will take the lab domain demo as well for that thank you guys see you soon in the next video

Info

Channel: Fresh Developer

Views: 14,260

Rating: undefined out of 5

Keywords: Virtual Router, Static routes in palo alto, Virtual router in Palo Alto, Configuration of Virtual router, virtual router cration, create virtual router, Palo Alto, Firewall, Palo Alto firewall training

Id: Ue-Y0pHVN9U

Channel Id: undefined

Length: 16min 10sec (970 seconds)

Published: Thu Feb 09 2023