Shared Gateway
This topic includes the following information about shared gateways:
External Zones and Shared Gateway
A shared gateway is an interface that multiple virtual systems share in order to communicate over the Internet. Each virtual system requires an External Zone, which acts as an intermediary, for configuring security policies that allow or deny traffic from the virtual system’s internal zone to the shared gateway.
The shared gateway uses a single virtual router to route traffic for all virtual systems. A shared gateway is used in cases when an interface does not need a full administrative boundary around it, or when multiple virtual systems must share a single Internet connection. This second case arises if an ISP provides an organization with only one IP address (interface), but multiple virtual systems need external communication.
Unlike the behavior between virtual systems, security policy and App-ID evaluations are not performed between a virtual system and a shared gateway. That is why using a shared gateway to access the Internet involves less overhead than creating another virtual system to do so.
In the following figure, three customers share a firewall, but there is only one interface accessible to the Internet. Creating another virtual system would add the overhead of App-ID and security policy evaluation for traffic being sent to the interface through the added virtual system. To avoid adding another virtual system, the solution is to configure a shared gateway, as shown in the following diagram.
The shared gateway has one globally-routable IP address used to communicate with the outside world. Interfaces in the virtual systems have IP addresses too, but they can be private, non-routable IP addresses.
You will recall that an administrator must specify whether a virtual system is visible to other virtual systems. Unlike a virtual system, a shared gateway is always visible to all of the virtual systems on the firewall.
A shared gateway ID number appears as sg<ID> on the web interface. It is recommended that you name your shared gateway with a name that includes its ID number.
When you add objects such as zones or interfaces to a shared gateway, the shared gateway appears as an available virtual system in the vsys drop-down menu.
A shared gateway is a limited version of a virtual system; it supports NAT and policy-based forwarding (PBF), but does not support security, DoS policies, QoS, decryption, application override, or captive portal policies.
Networking Considerations for a Shared Gateway
Keep the following in mind while you are configuring a shared gateway.
The virtual systems in a shared gateway scenario access the Internet through the shared gateway’s physical interface, using a single IP address. If the IP addresses of the virtual systems are not globally routable, configure source NAT to translate those addresses to globally-routable IP addresses. A virtual router routes the traffic for all of the virtual systems through the shared gateway. The default route for the virtual systems should point to the shared gateway. Security policies must be configured for each virtual system to allow the traffic between the internal zone and external zone, which is visible to the shared gateway. A firewall administrator should control the virtual router, so that no member of a virtual system can affect the traffic of other virtual systems. Within a Palo Alto Networks firewall, a packet may hop from one virtual system to another virtual system or a shared gateway. A packet may not traverse more than two virtual systems or shared gateways. For example, a packet cannot go from one virtual system to a shared gateway to a second virtual system within the firewall.
To save configuration time and effort, consider the following advantages of a shared gateway:
Rather than configure NAT for multiple virtual systems associated with a shared gateway, you can configure NAT for the shared gateway. Rather than configure policy-based routing (PBR) for multiple virtual systems associated with a shared gateway, you can configure PBR for the shared gateway.

Related Documentation