topic Re: Help With Configure PA-220 in General Topics

Help With Configure PA-220

PranamShah — Wed, 09 Mar 2022 20:59:27 GMT

I am trying to build firewall from scratch. Our use case is to secure 3 servers with separate DSP connected to PA-220. We do not have any managed switch or router between ISP to firewall. It is direct from modem to firewall.

Can anyone help with this? Palo Alto's documentation isnt helpful as I am not network guru.

Re: Help With Configure PA-220

kiwi — Thu, 10 Mar 2022 09:12:33 GMT

Hi @PranamShah ,

That a broad request. I'd recommend checking out some of the getting started guides. You'll find plenty of those on our LIVEcommunity YouTube channel over a variety of different topics.

There's also the getting started documentation DOC which provides detailed steps to help you deploy a new Palo Alto Networks next-generation firewall.

These should definitely help to get you started.

Cheers,

-Kiwi.

Re: Help With Configure PA-220

PranamShah — Thu, 10 Mar 2022 14:19:21 GMT

Thanks Kiwi.

Do you know if my use case as below is Valid?

3 servers
ISP (Modem) to PA-220 directly
No router or switch

Do I need to have Switch (L3) / Router (L3) between my servers and PA-220 or can I directly plug in Servers to PA-220?

Re: Help With Configure PA-220

Adrian_Jensen — Thu, 10 Mar 2022 16:17:11 GMT

A switch would be L2, not L3. You can connect the servers directly to the PA-220, but you will need to decide if each port will be its own network (L3 routing thru the PaloAlto between servers), or if you will try to bridge all 3 server ports together into a single L2 network. See this for bridging L2 ports:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

Re: Help With Configure PA-220

PranamShah — Fri, 11 Mar 2022 00:48:57 GMT

Thanks Adrian.

L2 switch is an unmanaged switch isn't it? Managed switch would be L3?

So basically I can not connect Server/VM Hosts directly to one one of 8 available interfaces on PA-220? Do I have to have a switch? And if yes, will unmanaged switch work or do I have to buy a managed switch?

Also for the internet to PA-220, can I connect ISP Modem directly to PA-220 and configure public IP on either management port or one of the interfaces?

Something like below is what I want to achieve. Is it viable?

Sorry to ask some basics but I am a bit new to this.

Re: Help With Configure PA-220

TomYoung — Fri, 11 Mar 2022 01:11:36 GMT

Hi @PranamShah ,

Yes, it is viable.

You can connect the ISP directly to the PA-220.
You can connect your servers directly to the PA-220.
Set the ISP interface to L3 in a L3 untrust zone with the public IP.
Set your server interfaces to L2 in a L2 zone. Put them in the same VLAN.
Create a L3 VLAN interface tied to the L2 VLAN in a L3 trust zone.
Create default route to ISP.
Create DIPP NAT rule to outside interface IP from trust zone to untrust zone.
Create security policy rule to allow traffic from trust zone to untrust zone.

Thanks,

Tom

Re: Help With Configure PA-220

Adrian_Jensen — Fri, 11 Mar 2022 17:17:53 GMT

@PranamShah wrote:
L2 switch is an unmanaged switch isn't it? Managed switch would be L3

No... A switch is always an L2 device, a device that receives packets in one port and sends packets out to other ports based on destination MAC address. It works on layer 2, the packet MAC hardware destination address. (OK... this gets a bit complicated as there are L2/L3+ switches, but for the definition of "switch", it is always a layer 2 device). An unmanaged switch is just that, a collection of ports that just pass packets based on MAC destination. A managed switch allows you to segment the switch into different layer 2 domains (VLANs), acting as multiple switches in one. (ports 1-4 are one VLAN, ports 5-6 are a different VLAN, etc., packets from 1-4 don't pass to ports 5-6).

A L3 device works on layer 3 - the IP address. It receives packets on one port (this is typically the gateway IP of the network) and routes them to other ports/networks based on the destination IP address. Hence an L3 device is a router.

The PaloAlto ports can be configured as L3 router ports (the default) or as L2 switch ports (done by creating a VLAN to route L3 on and assigning it to multiple ports).