Configure inter-vlan routing in Paloalto Firewall

When I need to implement inter-vlan routing in a small/branch office, I prefer the firewall to do instead of a Layer3 switch for the following reasons

– you do not need a high cost Layer 3 switch in small offices

– you can configure port/application level access from 1 VLAN to another so you do not need to blindly open all access between VLANs and avoid unnecessary traffic flows

– firewall has in-built features like Dashboard which let you review access logs between VLANs in the readable format(Who access what), where as you need a syslog server to review logs of Layer 3 switch

so here I am working on PA 200 firewall to configure it as a one arm routing, also called as router on a stick.

Paloalto firewall-Inter-vlan routing diagram

Paloalto Firewall Configuration

Paloalto Support has detailed document explaining the steps to achieve inter-vlan routing, Download Paloalto Firewall Design Guide.pdf and view Section 4.8. We do not want to repeat the steps here but one thing we want to convey is configuring inter-vlan routing in Paloalto Firewall is so simple. All you need to follow are these 2 steps –

1) Configure interfaces, sub-interfaces and VLANs (I have attached a screenshot as an example from one of my PAFW)

2) Allow traffic from one zone to another in Security Policies and you are done in PAFW.

Paloalto-subinterface-interlan-routing

Switch Configuration

Configure the switch port as

(config)# interface gi 0/24

(config-if)# switchport trunk encapsulation dot1q

(config-if)# switchport mode trunk

Paloalto Firewall Commands Reference

Group-Mapping:

1. view the state of Group Mapping whether any error occurred:

admin@HNSPAFW (active) > show user group-mapping state all

2. View list of Active Directory members synced with PA: say you have newly added a user to an internet access group in AD and want to check that it is reflected in PA

admin@HNSPAFW (active) > show user group name “hsngroup.net\level-internet-access-group”

3. Refresh members of specific AD Group in group mapping: say you have newly added a user to an internet access group in AD but he is still not able to browse, then refresh Group Mapping, below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping …………

4. Refresh members of all AD Groups in group mapping: below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping all