PAN Microsegmentation of DMZ

palomed — Wed, 05 Jan 2022 21:38:38 GMT

I am spinning up a new DMZ and wonder if there was a some means of restricting traffic between hosts on the DMZ using the PAN.
I have a Cisco Nexus switch and the hosts are VMs in Cisco UCS. Thank you.

Re: PAN Microsegmentation of DMZ

OtakarKlier — Wed, 05 Jan 2022 22:03:32 GMT

Hello,

This is somewhat limited due to architecture. The VM's live on 'dumb' layer 2 virtual switches, so even if the vlan gateway was the PAN, two VM's on the same host could talk to each other since they are on the same vlan on the same switch. I hope this makes sense. There are more complicated ways of doing this, i.e. one server per vlan (ouch), using global protect with always on to it forces all the traffic to go through the PAN, or some other software defined networking solution. I tend to group servers based on function/criticality, so its OK for two or more servers to live in the same vlan as long as they are locked down locally. You can also use the local firewalls of the servers to block traffic between them.

Its not a one size fits all architecture. The larger it is the more one solution is feasible over others.

Hope that makes sense.

Re: PAN Microsegmentation of DMZ

palomed — Wed, 05 Jan 2022 22:08:37 GMT

Thank you. That's how I thought it would work. I appreciate the confirmation.

topic Re: PAN Microsegmentation of DMZ in General Topics

PAN Microsegmentation of DMZ

Re: PAN Microsegmentation of DMZ

Re: PAN Microsegmentation of DMZ