Documente Academic
Documente Profesional
Documente Cultură
Shared
Gateway
and
Inter
Virtual
System
(VSYS)
Setup
on
PANOS
4.0
Palo
Alto
Networks
supports
multiple
virtual
systems
and
as
such
supports
communications
between
virtual
systems
to
allow
for
the
flexibility
needed
in
many
organizations.
For
the
purposes
of
this
document
the
two
virtual
systems
here
will
reflect
that
of
a
typical
telecommuter
who
needs
separate
virtual
firewalls
for
both
work
and
home
but
where
both
virtual
systems
share
a
single
external
ISP
connection,
otherwise
referred
to
as
a
shared
gateway.
Setup
for
both
scenarios
will
be
covered
here
to
show
the
sharing
of
the
external
ISP
connection
across
both
virtual
systems
as
well
as
the
steps
necessary
to
allow
the
two
internal
virtual
systems
(WORK_192
and
HOME_10)
to
communicate
with
each
other.
Additional
detail
on
these
concepts
can
be
found
in
a
tech
brief
that
covers
the
topic:
“Virtual
Systems:
Using
and
Configuring
Palo
Alto
Networks
Virtual
Systems
Functionality”
http://www.paloaltonetworks.com//literature/techbriefs/Virtual_Systems.pdf
This
document
is
intended
to
show
more
of
the
tactical
steps
necessary
to
set
these
features
up.
Logical
Design
Part
1:
Virtual
System
and
Shared
Gateway
Setup
1. To
begin,
make
certain
the
device
you
are
working
on
is
properly
licensed
for
virtual
systems.
All
Palo
Alto
models
support
virtual
systems
with
the
exception
of
the
PA-‐500.
To
verify
the
license
status
of
the
unit
go
to
the
Device
tab
and
check
to
see
if
the
Multi
Virtual
System
Capability
is
set
to
on.
2. The
two
internal
interfaces
ethernet1/2
(WORK_192)
and
ethernet1/3
(zone:
HOME_10)
should
be
setup
into
unique
virtual
systems.
Do
not
put
the
external
interface
(ethernet1/1;
zone:
SHARED_UNTRUST)
into
a
vsys
as
it
will
get
setup
as
a
shared
gateway
in
step
4.
Please
review
the
Logical
Design
on
page
1
for
more
information
on
how
the
interfaces
are
setup
for
the
purposes
of
this
document.
3. To
define
the
virtual
systems,
in
the
Device
tab
select
Virtual
Systems.
Be
sure
to
make
each
visible
to
the
other
by
setting
this
in
the
Visible
Virtual
Systems
column
(i.e.
vsys1
work
can
see
vsys2
home
and
vice-‐
versa)
4. To
add
the
Shared
Gateway,
in
the
Device
tab
choose
Shared
Gateway.
In
this
example
ethernet
1/1
is
the
external
interface
with
an
IP
address
from
the
ISP
and
would
need
to
be
set
accordingly.
5. Verify
the
interfaces
are
properly
setup
by
going
to
the
Network
tab
and
selecting
Interfaces.
Network
à
Interfaces
6. Each
interface
will
participate
in
the
same
virtual
router,
in
this
case
named
All-‐Routes.
Placing
all
zones
in
the
same
virtual
router
does
not
allow
for
communications
to/from
the
shared
gateway
and/or
other
virtual
systems.
This
will
be
controlled
by
security
policy
and
is
covered
in
step
8.
Network
à
Virtual
Router
A
single
default
route
to
the
next
hop
on
the
ISP
is
all
that
is
set
for
the
purposes
of
this
document.
If
additional
routes
are
needed,
add
them
to
this
virtual
router.
Note
that
the
Virtual
Router
is
not
a
member
of
any
Virtual
System
and
is
reflected
in
the
third
column
in
the
screenshot
above
as
none.
7. Now
create
the
external
zones
for
the
Home-‐to-‐Untrust
and
Work-‐to-‐Untrust
zones
by
choosing
Zones
in
the
Network
tab.
These
two
external
zones
are
for
setting
policy
to
allow
or
deny
traffic
from
the
internal
zones
(i.e.
HOME_10
and
WORK_192)
to
the
SHARED_UNTRUST
zone.
They
can
be
effectively
looked
at
as
transit
zones;
to
move
traffic
off
the
internal
zone
to
an
external
zone,
in
this
case
the
shared
gateway
zone.
It
is
important
to
set
the
type
to
External
and
also
define
the
zone
to
which
the
communication
path
is
being
setup.
8. When
setting
policy,
you
will
need
to
build
rules
to
allow
traffic
from
the
internal
networks
out
to
the
shared
gateway
on
the
untrusted
side
of
the
firewall.
This
is
where
the
Home-‐to-‐Untrust
and
Work-‐to-‐
Untrust
zones
will
come
into
play.
In
addition,
NAT
will
need
to
be
set
on
the
Shared_External_GW
virtual
system
that
houses
the
SHARED_UNTRUST
zone.
To
set
the
policy,
go
to
the
Policy
tab
à
Security
Policy.
Make
sure
to
choose
the
virtual
system
where
you
are
setting
the
policy.
9. As
mentioned
NAT
will
be
set
only
on
the
Shared_External_GW
virtual
system.
To
configure
a
hide
NAT
where
all
hosts
in
the
WORK_192
and
the
HOME_10
zones
will
use
the
shared
gateway
external
interface
(i.e.
the
external
ISP
address
tied
to
ethernet
1/1),
go
to
NAT
in
the
Policy
tab.
Make
sure
to
choose
the
Shared_External_GW
virtual
system
as
this
is
where
all
NAT
will
be
setup
for
this
design.
In
this
case
the
source
zone
will
be
set
to
any
since
the
concept
here
is
that
all
virtual
systems
will
share
this
external
gateway.
The
following
is
a
simple
hide
NAT
which
source
translates
internal
hosts
to
the
external
ISP
IP
address.
10. To
test,
generate
traffic
from
hosts
in
the
WORK_192
and
HOME_10
networks
out
to
the
Internet
and
observe
the
traffic
in
the
traffic
log
(Monitor
à
Logs:
Traffic)
Part
2:
Inter-‐VSYS
(Virtual
System)
Communication
The
concept
for
inter-‐VSYS
or
communication
between
internal
virtual
systems
is
similar
to
that
of
the
shared
gateway
setup.
For
those
virtual
systems
that
will
need
to
communicate
with
each
other,
it
is
necessary
to
setup
individual
external
zones
then
set
policy
to
allow
this
traffic.
1. For
inter-‐VSYS,
the
HOME_10
zone
needs
to
be
able
to
reach
the
WORK_192
zone
and
vice
versa.
So
two
new
external
zones
need
to
be
setup,
and
then
policy
created
to
control
traffic
between
zones.
To
set
these
zones
up
go
to
the
Network
tab
and
choose
Zones.
A
view
of
all
zones
for
both
shared
gateway
and
inter-‐VSYS
communication
2. When
setting
policy,
you
will
need
to
build
rules
to
allow
traffic
between
the
zones.
This
is
where
the
Home-‐to-‐
Work
and
Work-‐to-‐Home
external
zones
will
come
into
play.
Traffic
between
hosts
in
these
zones
uses
these
external
zones
as
the
transit
and
thus
need
to
be
set
in
policy
accordingly.
To
set
the
policy,
go
to
the
Policy
tab
à
Security
Policy.
Make
sure
to
choose
the
virtual
system
where
you
are
setting
the
policy.
3. To
test,
generate
traffic
from
hosts
in
the
WORK_192
and
HOME_10
networks
to
opposite
zones
and
monitor
the
traffic
log
for
activity
(Monitor
à
Logs:
Traffic)