topic Re: PA 440 MGMT Interface and Regular Interface in General Topics

PA 440 MGMT Interface and Regular Interface

networkingnoobie — Sat, 13 Jan 2024 21:24:45 GMT

Good afternoon all,

I am very new to this field and I wanted to acquire some knowledge or perhaps a better explaination. Looking at all of these videos online I think some basic fundamentals are missing in terms of real world scenarios; and not so much made up topologies.

SO, I am looking at my home network as a real world example.

The PA-440 was gifted to me and I want to see if the following is possible:

1. MGT Interface > If I choose to have this interface on its own subnet (/27) 192.168.90.1/27 in my switch (layer 3) i would imagine I would need to have a ip route to know this interface is alive and i'm able to manage my firewall.

2. Gig ports 1/1 and 1/2 on the PA440

Gig 1/1 >> this will be my internet port as in directly from my router which has been placed in bridge mode and I have set the G 1/1 Interface to DHCP (under IPv4)

Gig 1/2 >> this will have a little more work; as I have been reading I can create sub interface such as

Gig 1/2.1 >> I'm assigning 192.168.50.1/27 - >tagged 50

Gig 1/2.2 >> I'm assigning 192.168.60.1/27 - tagged 60

Gig 1/2.3 >> I'm assigning 192.168.70.1/27 - tagged 70

DHCP is configured to distrubute each /27 and the subinterfaces are selected.

Keep in mind 1/2 will be terminated to a trunk on my switch with 3 VLANS, 50,60,70

I'm having a hard time understanding how the Management interface will operate from my switch

I'm having a hard configuring the Virtual Router

I''m having a hard time understanding how the security / NAT will work.

Any insight would be great; I know its a lot to ask.

Re: PA 440 MGMT Interface and Regular Interface

seb_rupik — Sat, 13 Jan 2024 23:13:00 GMT

Hi there,

Your management interface would typically be connected via an edge (access) port on your switch. Assuming your switch is Layer3 capable then you would assign an SVI to this management VLAN. I will assume on your VLAN one must be an 'inside/ trust' type. So on your switch you would configure another SVI, this would allow traffic in the trusted zone to be routed towards your management interface.

The other VLAN, lets guess are something like DMZ and wireless. Both of these will be switched on your switch but not routed. The firewall will be configured with routed sub-interfaces, this way the firewall will be the gateway for those subnets and will be able to control all inter-vlan flows.

I would not worry about additional Virtual Routers at this early stage.

Your security zones will probably have a 1:1 mapping to your VLANs: inside, DMZ, wifi and WAN. The Security policy which you define will secure inter-zone flows, ie traffic moving from one VLAN (zone) to another. Lets say for example wifi can initiate communication with WAN and DMZ but not trust. DMZ can only initiate communication with WAN, but all the other zones can talk to it...etc,

Regarding NAT, I would imagine you would only need to configure translation on your WAN interface with source NAT for all outbound flows. You would also configure static NAT for selected ports towards your DMZ hosts.

Hope that helps.

cheers,

Seb.

Re: PA 440 MGMT Interface and Regular Interface

networkingnoobie — Thu, 18 Jan 2024 06:07:14 GMT

Thank you very much for the response. I did get this working however made some such as non static routing vs dynamic.