Palo Alto Networks : Firewall Loopback interfaces

In a dual-homed network infrastructure, loopback interfaces are a very valuable configuration option on Palo Alto firewalls. Cisco folk may be more familiar with the use of loopback interfaces, so this article gives a very quick look at some of the uses of a loopback interface in a Palo Alto firewall deployment. The most usedul scenario for explaining the use of loopback interfaces is either a ng routing setup, or a standard dual-homed implementation. We’ll explore the latter.

In a dual homed implementation, a network has two or more WAN links to two different POPs (point of presence) of an ISP, or separate ISPs. Normally, each WAN link will have a small subnet (eg. a /30) containing a “point to point” link whose only members are the firewall and the ISP router peer. This is common in whichever routing protocol is used between client and ISP, even if simple static routes are used. The customer is also normally given a subnet or public IPs which are available for their use. So a typical hypothetical setup would look something like this:

Selection_086The firewall has two interfaces: 192.168.1.2 and 192.168.1.2, and an assigned public IP range of 1.1.1.0/24. We’re already seen in previous blog posts (here) how to advertise the public IP range via BGP to only one ISP peer, and only advertise to the backup peer should the primary peer become unavailable. The next step is to setup the various firewall functions to support this setup with minimal configuration. The “typical” configuration of a palo alto firewall would involve an administrator binding several configuration items to a physical interface. For example, a NAT policy is normally set with an original destination interface being a physical interface and IP address. This sort of configuration does not scale well in the above scenario. An admin would have to have two NAT rules, one covering traffic coming in on the primary link, and another covering traffic coming in on the secondary link.

This is where loopback interfaces come in handy. Loopback interface are not bound to any fixed physical interface.. on other words they “float” across any available interface. So an administrator needs to first define a loopback interface and assign to it an IP address. From this point on, the administrator is free to define configuration such as NAT policies on the loopback interface rather than the physical interface. Since the loopback interface “floats”, it does not matter which WAN interface is active at the time, the NAT policy will still apply. Obviously, NAT policies are not the only scenario when this is handy. A few scenarios we’re used loopback interfaces for:

  • NAT policies
  • Security Policies
  • VPN Gateways
  • Management IPs
  • BGP peer IPs (and other routing protocols)

In the case of a failover, the palo alto configuration does not change since all the above are configured on loopback interfaces. So long as the traffic has some physical path to the firewall, it will hit the loopback interface and be processed according to configured policies.