Configure a Shared Gateway
Focus
Focus
Next-Generation Firewall

Configure a Shared Gateway

Table of Contents

Configure a Shared Gateway

Learn how to configure a shared gateway for use with virtual systems.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
Perform this task if you need multiple virtual systems to share an interface (a Shared Gateway) to the Internet. This task presumes:
  • You configured an interface with a globally-routable IP address, which will be the shared gateway.
  • You completed the prior task, Configure Virtual Systems. For the interface, you chose the external-facing interface with the globally-routable IP address.
  • When configuring the virtual systems, in the Visible Virtual System field, you checked the boxes of all virtual systems that must communicate to be visible to each other.
Keep the following in mind while you are configuring a shared gateway.
  • The virtual systems in a shared gateway scenario access the Internet through the shared gateway’s physical interface, using a single IP address. If the IP addresses of the virtual systems are not globally routable, configure source NAT to translate those addresses to globally-routable IP addresses.
  • A virtual router routes the traffic for all of the virtual systems through the shared gateway.
  • The default route for the virtual systems should point to the shared gateway.
  • Security policies must be configured for each virtual system to allow the traffic between the internal zone and external zone, which is visible to the shared gateway.
  • A firewall administrator should control the virtual router, so that no member of a virtual system can affect the traffic of other virtual systems.
  • Within a Palo Alto Networks firewall, a packet may hop from one virtual system to another virtual system or a shared gateway. A packet may not traverse more than two virtual systems or shared gateways. For example, a packet cannot go from vsys1 to vsys2 to vsys3, or similarly from vsys1 to vsys2 to shared gateway1. Both examples involve more than two virtual systems, which is not permitted.
To save configuration time and effort, consider the following advantages of a shared gateway:
  • Rather than configure NAT for multiple virtual systems associated with a shared gateway, you can configure NAT for the shared gateway.
  • Rather than configure policy-based routing (PBR) for multiple virtual systems associated with a shared gateway, you can configure PBR for the shared gateway.
  1. Configure a Shared Gateway.
    1. Select DeviceShared Gateway, click Add and enter an ID.
    2. Enter a helpful Name, preferably including the ID of the gateway.
    3. In the DNS Proxy field, select a DNS proxy object if you want to apply DNS proxy rules to the interface.
    4. Add an Interface that connects to the outside world.
    5. Click OK.
  2. Configure the zone for the shared gateway.
    When adding objects such as zones or interfaces to a shared gateway, the shared gateway itself will be listed as an available vsys in the VSYS menu.
    1. Select NetworkZones and Add a new zone by Name.
    2. For Location, select the shared gateway for which you are creating a zone.
    3. For Type, select Layer3.
    4. (Optional) Select a Zone Protection Profile (or configure one later) that provides flood, reconnaissance, or packet-based attack protection.
    5. (Optional) In Log Setting, select a log forwarding profile for forwarding zone protection logs to an external system.
    6. (Optional) Select Enable User Identification to enable User-ID for the shared gateway.
    7. Click OK.
  3. Commit your changes.
    Click Commit.