What is Palo Alto’s shared Gateway?

Shared Gateway It’s an interface that acts as a bridge for multiple virtual systems (vsys) to connect to the internet using a single IP address. Plain and simple.

Imagine this scenario. You have a firewall that runs multiple virtual systems (vsys), and you want to use a single IP address for all these virtual systems while reserving some private addresses for Network Address Translation purposes. This approach is advantageous for managing outbound connections and IP reservations.

What’s the benefit of having a shared gateway?

• One benefit is the avoidance of IP depletion while having multiple firewalls running.
• In a scenario with five virtual firewalls (vsys), some organizations may choose not to assign private IP addresses to each unless necessary. They can use one public IP address for outbound traffic among all firewalls. However, for inbound traffic, a private IP is required for bidirectional communication with a server.
• Managed security service providers (MSSPs) often use this feature by default for clients who do not require a private address unless the client opts to pay for one. There are other benefits to consider, but these will depend on the organization’s specific needs.

How does a shared gateway work?

To explain this correctly, let’s look at the diagram and break it down for better comprehension.

Breaking things down

1. Eth1/1 is the Untrust for all the vsys. (vsys1 vsys2 vsys3). This is the shared internet connection.
2. Eth1/2 This is the Trust for (vsys2)
3. Eth1/3 This is the Trust for (vsys3)
4. Sg1 (shared Gateway) Is pegged to Eth1/1. You will see it in a moment.
5. Sg1 is considered a virtual system for shared gateways, aside from (vsys).
6. Sg1 – All the NATs and the PBF (Policy Based Forwarding) will occur here.

Quick explanation

• You have three domains/vsys. (vsys1 vsys2 and vsys3).
• The host at 192.168.11.0/24 belonging to (vsys2) has a physical connection to the firewall through Eth1/2 and wants to send traffic to the internet via the Trust zone interface. The zone type for the Trust is layer 3.
• The Untrusted zone doesn’t have any physical connections, in contrast to the Trusted interface. Instead, it utilizes a zone type called “External,” which serves as an intermediary to connect to the shared gateway (sg1). This shared gateway uses Eth1/1 to send traffic to the internet.
• Sg1 is physically connected to Eth1/1. This interface will serve as the shared gateway, facilitating internet connectivity for all the virtual firewalls.
• Sg1 is a virtual system similar to vsys, where all the NAT and PBF will be configured.

Here is a more detailed illustration.

Let’s glue everything together.

First and foremost, make sure you create the Shared Gateway first. This will be the virtual system for the “Shared Gateway.”

STEP 1: ADDING THE SHARED GATEWAY

• Click on DEVICE and then shared gateways. Add a new shared gateway. You don’t need to include the interface since it hasn’t been configured yet. Even if you click add, you won’t see Eth1/1.

STEP 2: CONFIGURING THE INTERFACE ETH1/1 FOR THE SHARED GATEWAY/ UNTRUST

• You will configure Eth1/1, add the interface type as layer 3, and set a description.
• Add a new virtual router within the interface.
• Select the virtual system called “Untrust-Shared (sg1).”
• Create a security zone called “Untrust-Shared.” — Check CREATING A NEW ZONE BELOW.
• Make sure you configure the IPV4 address for the outside interface.
• When you create a virtual router, please make sure that the ISP route is in place.

CREATING A NEW ZONE WITHIN THE INTERFACE ETH1/1. (UNTRUST-SHARED)

• While adding the zone, give a distinctive name (Untrust-Shared) or anything you want, and add the interface Eth1/1.
• By default, the virtual system’s location should say “untrust-shared (sg1).” This is the name of the gateway we’ve created. Make sure you click OK.

STEP 3: CONFIGURING THE INTERFACE ETH1/2. (TRUST-VSYS2)

• You will configure Eth1/2 and add the interface type as layer 3.
• Select the virtual router you’ve created, “SHARED-VR01”.
• Select the virtual system called “vsys2”
• Create a security zone called “Trust-vsys2”
• Make sure you have added your IPv4 default gateway and optionally allow ping.

STEP 4: CONFIGURING THE INTERFACE ETH1/3. (TRUST-VSYS3)

• You will configure Eth1/2 and add the interface type as layer 3.
• Select the virtual router you’ve created, “SHARED-VR01”.
• Select the virtual system called “vsys3”
• Create a security zone called “Trust-vsys3”
• Make sure you have added your IPv4 default gateway and optionally allow ping.

At this point, everything looks good with the interfaces. However, we need to create two additional zones to manage egress traffic from the Trust zone to the Untrust zone. This will allow users to access the internet.

As you might expect, these new zones will not be linked to any physical interface. Instead, they will bridge to a logical zone called “External,” allowing any virtual system (vsys) to forward traffic to (sg1) pegged to Eth1/1.

STEP 5: CONFIGURING THE ZONES FOR THE UNTRUST. (UNTRUST-VSYS2)

• Add a new zone.
• Give it a name, in this case, Untrust-vsys2.
• Select the right vsys, in this case, vsys2
• For the Type, select external.
• Add the virtual system called sg1.

STEP 6: CONFIGURING THE ZONES FOR THE UNTRUST. (UNTRUST-VSYS2)

• Add a new zone.
• Give it a name, in this case, Untrust-vsys3.
• Select the right vsys, in this case, vsys3.
• For the Type, select external.
• Add the virtual system called sg1.

This is how it looks once you get them all together.

• Eth1/1 – Untrust-Shared – This is the shared gateway for the internet.
• Eth1/2 – Trust-vsys2 – This is the trust zone for the interface.
• Eth1/3 – Trust-vsys3 – This is the trust zone for the interface.
• sg1 – Untrust-vsys2 – This is the untrust zone for the security policy, not for NAT.
• sg1 – Untrust-vsys3 – This is the untrust zone for the security policy, not for NAT.

STEP 7: WE NEED TO CONFIGURE NAT

• You can’t create a NAT policy under (vsys1, vsys2, or vsys3). Eth1 belongs to sg1.
• To configure NAT. Go to POLICIES and select the virtual system “Untrust-Shared (sg1) virtual system.”

• The policy we are going to add is going to be from any to the Untrust-Shared interface.
• Let’s click on add. The source zone will be ANY, which makes sense because you want any traffic coming from vsys to be natted.

STEP 8: WE NEED TO A SECURITY POLICY FOR VSYS2.

• If we want to allow users from vsys2 to access the internet, we need to create a policy that permits the source zone (Trust-vsys2) to access (Untrust-vsys2).

STEP 9: WE NEED TO A SECURITY POLICY FOR VSYS3.

• If we want to allow users from vsys3 to access the internet, we need to create a policy that permits the source zone (Trust-vsys3) to access (Untrust-vsys3).

STEP 10: WE WILL BE LOOKING AT THE LOGS TO CHECK THE TRAFFIC.

• As you can see in the image below, traffic is going out to the internet using the (sg1) untrust shared zone we’ve created for Eth1/1.
• You’re not seeing any traffic directed to Untrust-vsys2 or Untrust-vsys3, right? That’s because those zones act as forwarders to send traffic to an external interface like Eth1/1, which is pegged to the (sg1) logical interface.

I hope this information has been helpful for those looking to enhance their skills with the Palo Alto Networks firewall. This platform can be quite complex, particularly when it comes to troubleshooting. However, by understanding the fundamental features, you can effectively bridge any knowledge gaps.

If you want to view the images, please use your phone or download them for a better view.

Cheers,