Keep the following in mind while you are configuring
a shared gateway.
The virtual systems in a shared gateway scenario access
the Internet through the shared gateway’s physical interface, using
a single IP address. If the IP addresses of the virtual systems
are not globally routable, configure source NAT to translate those
addresses to globally-routable IP addresses.
A virtual router routes the traffic for all of the virtual
systems through the shared gateway.
The default route for the virtual systems should point to
the shared gateway.
Security policies must be configured for each virtual system
to allow the traffic between the internal zone and external zone,
which is visible to the shared gateway.
A firewall administrator should control the virtual router,
so that no member of a virtual system can affect the traffic of
other virtual systems.
Within a Palo Alto Networks firewall, a packet may hop from
one virtual system to another virtual system or a shared gateway.
A packet may not traverse more than two virtual systems or shared
gateways. For example, a packet cannot go from vsys1 to vsys2 to
vsys3, or similarly from vsys1 to vsys2 to shared gateway1. Both
examples involve more than two virtual systems, which is not permitted.
To save configuration time and effort, consider the following
advantages of a shared gateway:
Rather than configure NAT for multiple virtual systems
associated with a shared gateway, you can configure NAT for the
Rather than configure policy-based routing (PBR) for multiple
virtual systems associated with a shared gateway, you can configure
PBR for the shared gateway.