Palo Alto Networks: Inter-VSYS Routing

Overview

Inter-VSYS routing in Palo Alto Networks' PAN-OS allows for communication between different virtual systems (VSYS) within the same physical firewall. This is essential in environments where traffic needs to traverse between isolated virtual firewalls, such as in multi-tenant architectures or segmented network designs.

Key Concepts

Configuration Steps

  1. Enable VSYS Visibility: Configure each VSYS to recognize the other VSYS it needs to communicate with.
  2. Create External Zones: In each VSYS, create an external zone that references the other VSYS.
  3. Configure Virtual Routers: Set up static routes in each VSYS's virtual router to direct traffic to the other VSYS, specifying the next-hop as the other VSYS's virtual router.
  4. Define Security Policies: Establish security policies in each VSYS to allow traffic between internal zones and the external zone.

Mermaid Sequence Diagram: Inter-VSYS Routing Workflow

sequenceDiagram participant Admin participant VSYS1 participant VSYS2 Admin->>VSYS1: Enable visibility to VSYS2 Admin->>VSYS2: Enable visibility to VSYS1 Admin->>VSYS1: Create external zone for VSYS2 Admin->>VSYS2: Create external zone for VSYS1 Admin->>VSYS1: Configure static route to VSYS2's subnet Admin->>VSYS2: Configure static route to VSYS1's subnet Admin->>VSYS1: Define security policy to allow traffic to external zone Admin->>VSYS2: Define security policy to allow traffic to external zone

Mermaid Sequence Diagram: Inter-VSYS Traffic Flow

sequenceDiagram participant Client in VSYS1 participant VSYS1 participant VSYS2 participant Server in VSYS2 Client in VSYS1->>VSYS1: Send traffic to Server in VSYS2 VSYS1->>VSYS2: Route traffic via external zone VSYS2->>Server in VSYS2: Deliver traffic Server in VSYS2-->>VSYS2: Response VSYS2-->>VSYS1: Route response via external zone VSYS1-->>Client in VSYS1: Deliver response

References