Palo Alto Networks: How to configure to route application follow the specified internet path

1.The purpose of the article

The article shows how to configure application routing to follow a specified internet path.

2.Diagram

Details:

  • There are 2 lines connecting to Palo Alto firewall and running Load Balancing, WAN1 internet connection connects to ethernet1/1 port of Palo Alto Firewall with IP 14.169.x.x.
  • The WAN line is connecting to the Palo Alto firewall at ethernet1/2 port with IP 192.168.15.2.
  • The ethernet1/4 port will be in the LAN area of the Palo Alto firewall with IP 172.16.31.1/24 and already configured with DHCP to allocate IP.
  • Finally 2 laptops in the LAN.
  • Laptop 1 has IP 172.16.31.100/24.
  • Laptop 2 has IP 172.16.31.101/24.

3.Scenario

We will configure the application routing so that when a user on laptop 1 uses the Skype application, the traffic of this application will go through WAN 1.

Similarly, we will configure the application routing so that when a user on laptop 2 uses the Telegram application, the traffic of this application will go through the WAN.

4.What to do

  • Create Address Objects for Laptop 1 and Laptop 2.
  • Create Security Policy for Laptop 1.
  • Create Security Policy for Laptop 2.
  • Result.

5.Configuration

5.1.Create Address Objects for Laptop 1 and Laptop 2

To create, go to Objects > Addresses > click Add and create with the following parameters:

  • Name: Laptop 1.
  • Type: IP Netmask – 172.16.31.100.
  • Click OK.

Similarly, click Add again to create Address Objects for Laptop 2 with the following parameters:

  • Name: Laptop 2.
  • Type: IP Netmask – 172.16.31.101.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.2.Tạo Security Policy cho Laptop 1

To create, go to Policies > Security > click Add.

Create with the following parameters:

General tab

  • Name: Routing_Laptop1_For_Skype

Source tab:

  • Source Zone: Click Add and select LAN zone.
  • Source Address: Click Add and select Address Objects Laptop 1.

Destination tab:

  • Destination Zone: select WAN1.

Application tab:

  • Click Add and select Skype.

Action tab:

  • Action: select Allow.
  • Log Setting: select Log at Session End.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3.Create Security Policy for Laptop 2

To create, go to Policies > Security > click Add.

Create with the following parameters:

General tab

  • Name: Routing_Laptop1_For_Telegram

Source tab:

  • Source Zone: Click Add and select LAN zone.
  • Source Address: Click Add and select Address Objects Laptop 2.

Destination tab:

  • Destination Zone: select WAN.

Application tab:

  • Click Add and select Telegram.

Action tab:

  • Action: select Allow.
  • Log Setting: select Log at Session End.
  • Click OK.

Click Commit and OK to save the configuration changes.

5.4.Result

We will use 2 applications Skype and Telegram to check the results.

On Laptop1 use the Skype application to make phone calls.

Then go to Monitor >  Logs > Traffic to check.

As a result, we can see that the traffic of the Skype application that Laptop1 uses has gone through WAN1 with the Routing_Laptop1_For_Skype policy.

Similar to laptop 2, we also use Telegram to make phone calls.

Then go to Monitor >  Logs > Traffic to check.

As a result, we can see that the traffic of the Skype application that Laptop2 uses has gone through the WAN with the Routing_Laptop1_For_Telegram policy.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.