https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/564704#M114253 <P>Thank you for the reply. I will put my recommendation to not separate them based on every one's reply. If not then I have solution now. I will find a lab online to do some labs.. do you know what is the best way to lab it.. either azure/aws/gcp with PAYG setup or EVN-NG lab .. need to find out the way to get the PA VM and licences for lab purpose.&nbsp;</P> Wed, 08 Nov 2023 02:14:31 GMT gondolf 2023-11-08T02:14:31Z https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/562850#M114010 <P>Hello,</P> <P>&nbsp;</P> <P>I am new to Palo Alto. I have basic question.&nbsp;</P> <P>&nbsp;</P> <P>Traditional setup I worked on my last project was as below,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>VRF on cisco router for&nbsp;</P> <P>- Internet -0 bgp</P> <P>- Production - bgp</P> <P>- DMZ&nbsp; - bgp</P> <P>&nbsp;</P> <P>FW connects to all 3 VRF. Route between VRF is via FW.&nbsp; FW harden the access.&nbsp;</P> <P>&nbsp;</P> <P>New project with PA and L2 switch for the same setup.</P> <P>&nbsp;</P> <P>My idea is&nbsp;</P> <P>create 3 x Virtual routers on FW ( Internet, Prod, DMZ)</P> <P>and one policy for all of it.&nbsp;</P> <P>&nbsp;</P> <P>However, what is the best way to route the traffic between VR with all the policy applied?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 24 Oct 2023 06:52:29 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/562850#M114010 gondolf 2023-10-24T06:52:29Z https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/562991#M114032 <P>Hello,</P> <P>Is there a reason you want to use 3 virtual routers? Its the security policies that determine what traffic can go where. The Virtual router is just that, routing. I'm a fan on keeping it simple and having 3 can get complicated, etc.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 24 Oct 2023 20:20:11 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/562991#M114032 OtakarKlier 2023-10-24T20:20:11Z https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/563024#M114043 <P>It is the cyber policy so I don't have much say in that one.&nbsp; <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> Tue, 24 Oct 2023 22:41:24 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/563024#M114043 gondolf 2023-10-24T22:41:24Z https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/563030#M114045 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/322754">@gondolf</a> ,</P> <P>&nbsp;</P> <P>The cyber policy requires 3 VRs on the NGFW or just the router?&nbsp; They are fine on the router.&nbsp; They are generally not needed on the NGFW.&nbsp; Some cyber security analysts think that separate routing tables provide an extra layer of security.&nbsp; The problem is that in order for it to work you have to <EM>route</EM> between the VRs, thus breaking the isolation.</P> <P>&nbsp;</P> <P>Your router is different where an external device routes between VRFs.&nbsp; The NGFW does not require VRs to do so, only 3 separate zones and interfaces.&nbsp; VRs on the NGFW only increases the complexity without increasing the security.</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a> is correct.&nbsp; KISS is not only a good design principle, but an architectural guideline for the Internet.&nbsp; <A href="https://datatracker.ietf.org/doc/html/rfc3439" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc3439</A>&nbsp; There is a link in there that says 80% of outages are caused by people or process errors.&nbsp; Complex designs increase those opportunities.</P> <P>&nbsp;</P> <P>If you HAVE to do it on the NGFW:</P> <P>&nbsp;</P> <OL> <LI>Create 3 different VRs.</LI> <LI>Route between them with the next hop pointing to the VR and not an IP or interface.</LI> <LI>The zones and security policy will remain the same whether you have VRs or not.</LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 25 Oct 2023 01:10:12 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/563030#M114045 TomYoung 2023-10-25T01:10:12Z https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/564704#M114253 <P>Thank you for the reply. I will put my recommendation to not separate them based on every one's reply. If not then I have solution now. I will find a lab online to do some labs.. do you know what is the best way to lab it.. either azure/aws/gcp with PAYG setup or EVN-NG lab .. need to find out the way to get the PA VM and licences for lab purpose.&nbsp;</P> Wed, 08 Nov 2023 02:14:31 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-and-internal-network-sepration-via-virtual-router/m-p/564704#M114253 gondolf 2023-11-08T02:14:31Z