>
    Configure Traffic Flow Towards CN-Series HSF
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Configure Traffic Flow Towards CN-Series HSF
    Download PDF
    CN-Series

    Configure Traffic Flow Towards CN-Series HSF

    Table of Contents

    Configure Traffic Flow Towards CN-Series HSF

    Where Can I Use This?What Do I Need?
    • CN-Series HSF Firewall deployment
    • CN-Series 11.0.x or above Container Images
    • Panorama running PAN-OS 11.0.x or above version
    The upstream/downstream router uses flow-based ECMP algorithm. When traffic reaches CN-GW, it will distribute the traffic to one of the available CN-NGFWs through the Traffic Interconnect (TI) link using symmetric hash algorithm. Traffic matching a session from both directions (client to server and server to client) will always go through the same CN-NGFW. Once the CN-NGFW process the traffic, and if you have set a policy to Allow traffic, the traffic packet will be sent back to the CN-GW to reach the server.
    1. Create a Logical Router on the firewall to participate in Layer 3 routing.
      1. Go to NetworkRouting Logical Router then select the variable template from the Template drop-down.
      2. Select a default virtual router or add a Name for the new logical router.
      3. Select General, then add an already defined Interface.
        Repeat this step for adding all interfaces you want to add to the logical router.
        The ethernetX/1 and etehrnetX/2 interfaces are reserved for CI and TI links respectively. Select an interface between ethernet1/3 and ethernet1/14.
      4. Click OK.
      5. Set Administrative Distance for static routing. Range is 10 to 240; default is 10.
        Set Administrative Distances for types of routes as required for your network. When the virtual router has two or more different routes to the same destination, it uses administrative distance to choose the best path from different routing protocols and static routes by preferring a lower distance.
      6. Enable ECMP to leverage multiple equal-cost paths for forwarding.
      7. Click OK.
    2. Configure the Layer 3 interface to enable traffic flow.
      When you Prepare Panorama for CN-Series HSF Deployment, you might have created a variable Template. To enable traffic flow through the cluster network, you must configure the variable template with necessary network and traffic configuration needed for load balancing the CN-Series HSF. You must configure the Layer 3 Ethernet interface with IPv4 addresses so that the firewall can perform routing on these interfaces. You would typically use the following procedure to configure an external interface that connects to the internet and an interface for your internal network.
      You can configure this template before or after deploying the CN-Series HSF.
      Ensure to not overlap the configuration of this template with the K8S-CNF-Clustering-Readonly template created automatically during the Kubernetes plugin installation.
      1. Go to NetworkInterfaces, then select the variable template from the Template drop-down.
      2. Select Ethernet interface to Add Interface.
      3. Select a Slot between 1 and 30.
      4. Enter an Interface Name between ethernet1/3 and ethernet1/14.
      5. For Interface Type, select Layer 3.
      6. On the Config tab:
        • For Logical Router, select the logical router you are configured in Step 1.
        • For Virtual System, select the virtual system you are configuring if on a multi-virtual system firewall.
        • For Security Zone, select the zone to which the interface belongs or create a New Zone.
      7. On the IPv4 tab, select DHCP Client.
        The firewall interface acts as a DHCP client and receives a dynamically assigned IP address. The firewall also provides the capability to propagate settings received by the DHCP client interface into a DHCP server operating on the firewall. For more information, see configure an interface as a DHCP client.
      8. Click OK.
    3. Configure static routes for the logical router.
      1. Go to NetworkRouting Logical Router, then select the variable template from the Template drop-down.
      2. Select the Static IPv4 tab and click Add.
      3. Enter a Name for the static route.
      4. Enter the Destination route and netmask. For example, 192.168.200.0/24.
      5. Select the outgoing interface for packets to use to go to the next hop.
      6. For Next Hop, select ip-address and enter the IP address of your internal gateway. For example, 192.168.100.2.
      7. Enter an Admin Distance for the route to override the default administrative distance set for static routes for this logical router (range is 10 to 240; default is 10).
      8. Enter a Metric for the route (range is 1 to 65,535).
      9. Apply a BFD Profile to the static route so that if the static route fails, the firewall removes the route and uses an alternative route. Default is None.
      10. Click OK.

    © 2024 Palo Alto Networks, Inc. All rights reserved.