https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15701#M11487 <HTML><HEAD></HEAD><BODY><P>We have a situation as a result of going through a PCI audit. We have a single subnet which contains a handful of servers that need to be isolated and traffic restricted. Originally we were going to move these few servers to a new switch VLAN changing the IP scheme and use the PA to permit/allow traffic between that new vlan and the existing subnet and internet. Now it looks like it is going to be pain since there are a lot of changes that will need to be done to these few servers to change the IP. Worse yet is that the vendor is on a service blackout as a result of being purchased by Oracle. So there is no time before our deadline to get assistance from them before we will be fined for not being in compliance. </P><P>My thought was to create a virtual wire where traffic would ingress to the PA from the existing LAN-VLAN (Client-SIde) and egress on the interface of the virtual wire (Server Side) so I can apply rules to all traffic bound to/from those servers. Seems like it should work in my mind, but wondering if I'm on the right track or is there is a better way to isolate these few hosts to lock them down. </P><P>Hopefully this makes sense. I can do a visual if needed.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 16 Apr 2015 22:42:28 GMT Retired Member 2015-04-16T22:42:28Z https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15701#M11487 <HTML><HEAD></HEAD><BODY><P>We have a situation as a result of going through a PCI audit. We have a single subnet which contains a handful of servers that need to be isolated and traffic restricted. Originally we were going to move these few servers to a new switch VLAN changing the IP scheme and use the PA to permit/allow traffic between that new vlan and the existing subnet and internet. Now it looks like it is going to be pain since there are a lot of changes that will need to be done to these few servers to change the IP. Worse yet is that the vendor is on a service blackout as a result of being purchased by Oracle. So there is no time before our deadline to get assistance from them before we will be fined for not being in compliance. </P><P>My thought was to create a virtual wire where traffic would ingress to the PA from the existing LAN-VLAN (Client-SIde) and egress on the interface of the virtual wire (Server Side) so I can apply rules to all traffic bound to/from those servers. Seems like it should work in my mind, but wondering if I'm on the right track or is there is a better way to isolate these few hosts to lock them down. </P><P>Hopefully this makes sense. I can do a visual if needed.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 16 Apr 2015 22:42:28 GMT https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15701#M11487 Retired Member 2015-04-16T22:42:28Z https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15702#M11488 <HTML><HEAD></HEAD><BODY><P>You're on the right track - and this would work as described.&nbsp; </P><P></P><P>The other way to accomplish this would be using L2 mode with vlan-tag re-write.&nbsp; </P><P></P><P>Either method would allow you to keep the same IP scheme, yet isolate one group of hosts from another.&nbsp; </P></BODY></HTML> Thu, 16 Apr 2015 22:57:31 GMT https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15702#M11488 jvalentine 2015-04-16T22:57:31Z https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15703#M11489 <HTML><HEAD></HEAD><BODY><P>Thank you! That is what I needed to know. I went with the L2 mode with VLAN re-write. Works just as expected.</P><P></P><P>Josh</P></BODY></HTML> Thu, 30 Apr 2015 22:54:33 GMT https://live.paloaltonetworks.com/t5/general-topics/using-virtual-wire-to-isolate-and-allow-deny-traffic-to-a-couple/m-p/15703#M11489 Retired Member 2015-04-30T22:54:33Z