>
    Configure Traffic Flow Towards CN-Series HSF
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Configure Traffic Flow Towards CN-Series HSF
    Download PDF
    CN-Series

    Configure Traffic Flow Towards CN-Series HSF

    Table of Contents

    Configure Traffic Flow Towards CN-Series HSF

    Where Can I Use This?
    What Do I Need?
    • CN-Series HSF Firewall deployment
    • CN-Series 11.0.x or above Container Images
    • Panorama
       running PAN-OS 11.0.x or above version
    The upstream/downstream router uses flow-based ECMP algorithm. When traffic reaches CN-GW, it will distribute the traffic to one of the available CN-NGFWs through the Traffic Interconnect (TI) link using symmetric hash algorithm. Traffic matching a session from both directions (client to server and server to client) will always go through the same CN-NGFW. Once the CN-NGFW process the traffic, and if you have set a policy to
    Allow
     traffic, the traffic packet will be sent back to the CN-GW to reach the server.
    1. Create a Logical Router on the firewall to participate in Layer 3 routing.
      1. Go to
        Network
        Routing
        Logical Router
         then select the variable template from the
        Template
         drop-down.
      2. Select a default virtual router or add a
        Name
         for the new logical router.
      3. Select
        General
        , then add an already defined
        Interface
        .
        Repeat this step for adding all interfaces you want to add to the logical router.
        The ethernetX/1 and etehrnetX/2 interfaces are reserved for CI and TI links respectively. Select an interface between
        ethernet1/3
         and
        ethernet1/14
        .
      4. Click
        OK
        .
      5. Set Administrative Distance for static routing. Range is 10 to 240; default is 10.
        Set Administrative Distances for types of routes as required for your network. When the virtual router has two or more different routes to the same destination, it uses administrative distance to choose the best path from different routing protocols and static routes by preferring a lower distance.
      6. Enable ECMP to leverage multiple equal-cost paths for forwarding.
      7. Click
        OK
        .
    2. Configure the Layer 3 interface to enable traffic flow.
      When you Prepare Panorama for CN-Series HSF Deployment, you might have created a variable Template. To enable traffic flow through the cluster network, you must configure the variable template with necessary network and traffic configuration needed for load balancing the CN-Series HSF. You must configure the Layer 3 Ethernet interface with IPv4 addresses so that the firewall can perform routing on these interfaces. You would typically use the following procedure to configure an external interface that connects to the internet and an interface for your internal network.
      You can configure this template before or after deploying the CN-Series HSF.
      Ensure to not overlap the configuration of this template with the
      K8S-CNF-Clustering-Readonly
       template created automatically during the Kubernetes plugin installation.
      1. Go to
        Network
        Interfaces
        , then select the variable template from the
        Template
         drop-down.
      2. Select
        Ethernet
         interface to
        Add Interface
        .
      3. Select a
        Slot
         between 1 and 30.
      4. Enter an
        Interface Name
         between
        ethernet1/3
         and
        ethernet1/14
        .
      5. For
        Interface Type
        , select
        Layer 3
        .
      6. On the
        Config
         tab:
        • For
          Logical Router
          , select the logical router you are configured in Step 1.
        • For
          Virtual System
          , select the virtual system you are configuring if on a multi-virtual system firewall.
        • For
          Security Zone
          , select the zone to which the interface belongs or create a
          New Zone
          .
      7. On the
        IPv4
         tab, select
        DHCP Client
        .
        The firewall interface acts as a DHCP client and receives a dynamically assigned IP address. The firewall also provides the capability to propagate settings received by the DHCP client interface into a DHCP server operating on the firewall. For more information, see configure an interface as a DHCP client.
      8. Click
        OK
        .
    3. Configure static routes for the logical router.
      1. Go to
        Network
        Routing
        Logical Router
        , then select the variable template from the
        Template
         drop-down.
      2. Select the
        Static
        IPv4
         tab and click
        Add
        .
      3. Enter a
        Name
         for the static route.
      4. Enter the
        Destination
         route and netmask. For example, 192.168.200.0/24.
      5. Select the outgoing interface for packets to use to go to the next hop.
      6. For
        Next Hop
        , select
        ip-address
         and enter the IP address of your internal gateway. For example, 192.168.100.2.
      7. Enter an
        Admin Distance
         for the route to override the default administrative distance set for static routes for this logical router (range is 10 to 240; default is 10).
      8. Enter a
        Metric
         for the route (range is 1 to 65,535).
      9. Apply a
        BFD Profile
         to the static route so that if the static route fails, the firewall removes the route and uses an alternative route. Default is
        None
        .
      10. Click
        OK
        .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.