Prisma AIRS
Deploy the Pan-redirector Agent
Table of Contents
Deploy the Pan-redirector Agent
Steps to deploy the pan-redirector agent.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The following are the steps to deploy the pan-redirector agent:
- Install the panredirect agent.
- Download the panredirect installer package from the Customer Support Portal (CSP).Install the panredirect package by providing the executable permissions for the package.
![]()
Verify the panredirect agent is installed.- Execute the command pan redirect version to verify the version of the pan redirector agent installed.[root@rhel9 ~]# panredirect version panredirect 0.9.0-3Set the firewall destination IP.
- Configure the firewall IP by executing the following command.panredirect configure --fwip <ip address of the firewall> For example, panredirect configure --fwip 192.0.2.10If you are using a loadbalancer or a network loadbalancer in azure then, use the firewall subnet option since ilb IP is different from the firewall. For example, if load balancer front-end IP is 10.0.3.4, firewall in the backend pool are on 10.0.4.0/24 subnet, and firewalls perform direct-return from that subnet, then configure:sudo panredirect configure --fwip 10.0.3.4 --fwsubnet 10.0.3.0/24Verify that the firewall's configured IP address can be accessed by the client.Enabling panredirect on the management interface may result in losing SSH connections. To avoid this situation:
- Use the exception
IP:
Orpanredirect configure [-h] --fwip FWIP [--exception MGMT_IP]- Steering rules:
panredirect rule insert [-h] --index INDEX --interface INTERFACE --proto PROTO [--remoteip REMOTEIP] [--remoteport REMOTEPORT] [--localip LOCALIP][--localport LOCALPORT] --action {pass,redirect} - Steering rules:
Insert redirect rule at the specific position.options: -h, --help show this help message and exit --index INDEX Index to insert the rule --interface INTERFACE Interface name --proto PROTO IP protocol (tcp, udp, hex number or 'any') --remoteip REMOTEIP Source CIDR or 'any' --remoteport REMOTEPORT Source port (TCP/UDP only) --localip LOCALIP Destination CIDR or 'any' --localport LOCALPORT Destination port (TCP/UDP only) --action {pass,redirect} pass traffic directly to the system or redirect to firewallThe panredirect rule list.panredirect rule list panredirect rule append [-h] --interface INTERFACE --proto PROTO [--remoteip REMOTEIP] [--remoteport REMOTEPORT] [--localip LOCALIP] [--localport LOCALPORT] --action {pass,redirect}options: -h, --help show this help message and exit --interface INTERFACE Interface name --proto PROTO IP protocol (tcp, udp or hex number) --remoteip REMOTEIP Source CIDR or 'any' --remoteport REMOTEPORT Source port (TCP/UDP only) --localip LOCALIP Destination CIDR or 'any' --localport LOCALPORT Destination port (TCP/UDP only) --action {pass,redirect} pass traffic directly to the system or redirect to firewall![]()
- Observe that a logical interface named pangv0 is created for the purpose of encapsulation.
- Geneve encapsulation leads to a decrease in the Maximum Transmission Unit (MTU). For instance, if Docker is using bridge networking with an MTU of 1500, this could cause connectivity problems for containers during active redirection. In such cases, the MTU should be reduced to 1440.
- The tcp-segmentation-offload (TSO), generic-receive-offload (GSO) and large-receive-offload (LRO) are also set to off.
[root@rhel9 ~]# ethtool -k ens256 Features for ens256: rx-checksumming: on tx-checksumming: on tx-checksum-ipv4: on tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: on tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: on scatter-gather: on tx-scatter-gather: on tx-scatter-gather-fraglist: off [fixed] tcp-segmentation-offload: off tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off tx-tcp-mangleid-segmentation: off tx-tcp6-segmentation: off generic-segmentation-offload: off generic-receive-offload: off large-receive-offload: off [fixed] rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off [fixed] receive-hashing: on highdma: on rx-vlan-filter: on [fixed] vlan-challenged: off [fixed] tx-lockless: off [fixed] netns-local: off [fixed] tx-gso-robust: off [fixed] tx-fcoe-segmentation: off [fixed] tx-gre-segmentation: off [fixed] tx-gre-csum-segmentation: off [fixed] tx-ipxip4-segmentation: off [fixed] tx-ipxip6-segmentation: off [fixed] tx-udp_tnl-segmentation: off [fixed] tx-udp_tnl-csum-segmentation: off [fixed] tx-gso-partial: off [fixed] tx-tunnel-remcsum-segmentation: off [fixed] tx-sctp-segmentation: off [fixed] tx-esp-segmentation: off [fixed] tx-udp-segmentation: off [fixed] tx-gso-list: off [fixed] fcoe-mtu: off [fixed] tx-nocache-copy: off loopback: off [fixed] rx-fcs: off [fixed] rx-all: off [fixed] tx-vlan-stag-hw-insert: off [fixed] rx-vlan-stag-hw-parse: off [fixed] rx-vlan-stag-filter: off [fixed] l2-fwd-offload: off [fixed] hw-tc-offload: off [fixed] esp-hw-offload: off [fixed] esp-tx-csum-hw-offload: off [fixed] rx-udp_tunnel-port-offload: off [fixed] tls-hw-tx-offload: off [fixed] tls-hw-rx-offload: off [fixed] rx-gro-hw: off [fixed] tls-hw-record: off [fixed] rx-gro-list: off macsec-hw-offload: off [fixed] rx-udp-gro-forwarding: off hsr-tag-ins-offload: off [fixed] hsr-tag-rm-offload: off [fixed] hsr-fwd-offload: off [fixed] hsr-dup-offload: off [fixed]Enable the interface intended for traffic redirection.Execute the following command to enable traffic redirection on the interface:panredirect enable <interface>[root@rhel9 ~]# panredirect enable ens256 2026-02-23 22:46:28,590 - INFO - Enabled redirection on ens256 [root@rhel9 ~]# panredirect status IF FW_IP VNI IF_MAC ACT ens224 192.168.101.1 48813 00:50:56:95:f2:6e yes [root@rhel9 ~]# panredirect health_check OK [root@rhel9 ~]# panredirect rule list ifname idx proto remoteip rport localip lport action ens224 0 any any any any any redirect [root@rhel9 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:95:94:53 brd ff:ff:ff:ff:ff:ff altname enp11s0 inet 10.6.250.61/22 brd 10.6.251.255 scope global noprefixroute ens192 valid_lft forever preferred_lft forever inet6 2620:130:800a:2110:250:56ff:fe95:9453/64 scope global dynamic noprefixroute valid_lft 2591843sec preferred_lft 604643sec inet6 fe80::250:56ff:fe95:9453/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:95:f2:6e brd ff:ff:ff:ff:ff:ff altname enp19s0 inet 192.168.101.5/24 brd 192.168.101.255 scope global noprefixroute ens224 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe95:f26e/64 scope link noprefixroute valid_lft forever preferred_lft forever 4: ens256: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000 link/ether 00:50:56:95:17:dd brd ff:ff:ff:ff:ff:ff altname enp27s0 5: pangnv0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether de:88:0a:f4:3e:9a brd ff:ff:ff:ff:ff:ff inet6 fe80::dc88:aff:fef4:3e9a/64 scope link valid_lft forever preferred_lft forever![]()
