https://live.paloaltonetworks.com/t5/panorama-discussions/remote-site-management-to-be-managed-with-panorama/m-p/551879#M1680 <P>I'm looking at deploying some PAN-440 firewalls and wanted to get some advice as this is one of the first remote sites I've done with Palo.&nbsp; My intention was to build an IPSEC bridge between the remote site and our on-prem firewalls in order to pipe all of the remote site's traffic to us.&nbsp; That would allow us to control internet access and use our on-prem subscriptions for cybersecurity as well as enable the remote site to access our wireless controller, VoIP system, etc.</P> <P>&nbsp;</P> <P>Looking at deployment options, it seems like ZTP might be good for this so I'm reading up on that.</P> <P>&nbsp;</P> <P>My question: I'm assuming the management that ZTP sets up would NOT go across the IPSEC tunnel and that it would be best practice to leave it that way?&nbsp; Theoretically, if we create firewall policy that only allows the static IPs on each side to communicate with each other then this would allow troubleshooting if the tunnel fails for some reason.&nbsp; I must admit that I'm a little hesitant to create an inbound NAT and security policy pointing to Panorama for security but, again, this could be mitigated by only allowing the remote static IP and it appears to be necessary for ZTP setup.</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 31 Jul 2023 21:16:32 GMT jsalmans 2023-07-31T21:16:32Z https://live.paloaltonetworks.com/t5/panorama-discussions/remote-site-management-to-be-managed-with-panorama/m-p/551879#M1680 <P>I'm looking at deploying some PAN-440 firewalls and wanted to get some advice as this is one of the first remote sites I've done with Palo.&nbsp; My intention was to build an IPSEC bridge between the remote site and our on-prem firewalls in order to pipe all of the remote site's traffic to us.&nbsp; That would allow us to control internet access and use our on-prem subscriptions for cybersecurity as well as enable the remote site to access our wireless controller, VoIP system, etc.</P> <P>&nbsp;</P> <P>Looking at deployment options, it seems like ZTP might be good for this so I'm reading up on that.</P> <P>&nbsp;</P> <P>My question: I'm assuming the management that ZTP sets up would NOT go across the IPSEC tunnel and that it would be best practice to leave it that way?&nbsp; Theoretically, if we create firewall policy that only allows the static IPs on each side to communicate with each other then this would allow troubleshooting if the tunnel fails for some reason.&nbsp; I must admit that I'm a little hesitant to create an inbound NAT and security policy pointing to Panorama for security but, again, this could be mitigated by only allowing the remote static IP and it appears to be necessary for ZTP setup.</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 31 Jul 2023 21:16:32 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/remote-site-management-to-be-managed-with-panorama/m-p/551879#M1680 jsalmans 2023-07-31T21:16:32Z