1.The purpose of the article
The article shows how to configure application routing to follow a specified internet path.
2.Diagram
Details:
- There are 2 lines connecting to Palo Alto firewall and running Load Balancing, WAN1 internet connection connects to ethernet1/1 port of Palo Alto Firewall with IP 14.169.x.x.
- The WAN line is connecting to the Palo Alto firewall at ethernet1/2 port with IP 192.168.15.2.
- The ethernet1/4 port will be in the LAN area of the Palo Alto firewall with IP 172.16.31.1/24 and already configured with DHCP to allocate IP.
- Finally 2 laptops in the LAN.
- Laptop 1 has IP 172.16.31.100/24.
- Laptop 2 has IP 172.16.31.101/24.
3.Scenario
We will configure the application routing so that when a user on laptop 1 uses the Skype application, the traffic of this application will go through WAN 1.
Similarly, we will configure the application routing so that when a user on laptop 2 uses the Telegram application, the traffic of this application will go through the WAN.
4.What to do
- Create Address Objects for Laptop 1 and Laptop 2.
- Create Security Policy for Laptop 1.
- Create Security Policy for Laptop 2.
- Result.
5.Configuration
5.1.Create Address Objects for Laptop 1 and Laptop 2
To create, go to Objects > Addresses > click Add and create with the following parameters:
- Name: Laptop 1.
- Type: IP Netmask – 172.16.31.100.
- Click OK.
Similarly, click Add again to create Address Objects for Laptop 2 with the following parameters:
- Name: Laptop 2.
- Type: IP Netmask – 172.16.31.101.
- Click OK.
Click Commit and OK to save the configuration changes.
5.2.Tạo Security Policy cho Laptop 1
To create, go to Policies > Security > click Add.
Create with the following parameters:
General tab
- Name: Routing_Laptop1_For_Skype
Source tab:
- Source Zone: Click Add and select LAN zone.
- Source Address: Click Add and select Address Objects Laptop 1.
Destination tab:
- Destination Zone: select WAN1.
Application tab:
- Click Add and select Skype.
Action tab:
- Action: select Allow.
- Log Setting: select Log at Session End.
- Click OK.
Click Commit and OK to save the configuration changes.
5.3.Create Security Policy for Laptop 2
To create, go to Policies > Security > click Add.
Create with the following parameters:
General tab
- Name: Routing_Laptop1_For_Telegram
Source tab:
- Source Zone: Click Add and select LAN zone.
- Source Address: Click Add and select Address Objects Laptop 2.
Destination tab:
- Destination Zone: select WAN.
Application tab:
- Click Add and select Telegram.
Action tab:
- Action: select Allow.
- Log Setting: select Log at Session End.
- Click OK.
Click Commit and OK to save the configuration changes.
5.4.Result
We will use 2 applications Skype and Telegram to check the results.
On Laptop1 use the Skype application to make phone calls.
Then go to Monitor > Logs > Traffic to check.
As a result, we can see that the traffic of the Skype application that Laptop1 uses has gone through WAN1 with the Routing_Laptop1_For_Skype policy.
Similar to laptop 2, we also use Telegram to make phone calls.
Then go to Monitor > Logs > Traffic to check.
As a result, we can see that the traffic of the Skype application that Laptop2 uses has gone through the WAN with the Routing_Laptop1_For_Telegram policy.
Leave a Reply