https://live.paloaltonetworks.com/t5/general-topics/cisco-ironport-with-palo-alto-fw/m-p/16193#M11831 <HTML><HEAD></HEAD><BODY><P>Well that Ironport device (even if they are best known for mailfiltering) should be just like any SPI/NGFW around.</P><P></P><P>That is in your case I would create a dedicated zone and attach that to a dedicated interface.</P><P></P><P>This interface would then have a linknet created (for example 10.0.0.1/30 or whatever RFC1918 addressrange you prefer) and then in the VROUTER setup a static nexthop for the range which the tenant will use out of your range.</P><P></P><P>For example:</P><P></P><P>Internet &lt;-&gt; PA &lt;-&gt; Ironport</P><P></P><P>where the link between PA and Ironport have 10.0.0.1/30 on your end and 10.0.0.2/30 on the Ironport end (as an example).</P><P></P><P>In your PA VROUTER you setup x.x.x.x/xx NEXTHOP 10.0.0.2.</P><P></P><P>The Ironport will then setup a default route towards 10.0.0.1 as nexthop.</P><P></P><P>There are of course other options around demending on your taste <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 01 Dec 2013 17:38:00 GMT mikand 2013-12-01T17:38:00Z https://live.paloaltonetworks.com/t5/general-topics/cisco-ironport-with-palo-alto-fw/m-p/16192#M11830 <HTML><HEAD></HEAD><BODY><P>We have a tenant who is going to terminate their internet service and begin to use our connection.&nbsp; Their internet traffic will be directed to our Palo Alto, which is our internet gateway.&nbsp; The tenant also uses a Cisco Ironport Web Security device and insists on its continued use vs. using the services on the Palo Alto.&nbsp; My thought was to put the Ironport on our DMZ and via PBF, send all traffic from the tenant subnet to the Ironport.&nbsp; The Ironport would then return the filtered traffic to the PA and out to the internet.</P><P></P><P>Anyone familiar with the Ironport/ have any ideas of whether or not this setup is feasible?</P><P><BR /> </P></BODY></HTML> Wed, 06 Nov 2013 18:50:41 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-ironport-with-palo-alto-fw/m-p/16192#M11830 jeffrey.schultise 2013-11-06T18:50:41Z https://live.paloaltonetworks.com/t5/general-topics/cisco-ironport-with-palo-alto-fw/m-p/16193#M11831 <HTML><HEAD></HEAD><BODY><P>Well that Ironport device (even if they are best known for mailfiltering) should be just like any SPI/NGFW around.</P><P></P><P>That is in your case I would create a dedicated zone and attach that to a dedicated interface.</P><P></P><P>This interface would then have a linknet created (for example 10.0.0.1/30 or whatever RFC1918 addressrange you prefer) and then in the VROUTER setup a static nexthop for the range which the tenant will use out of your range.</P><P></P><P>For example:</P><P></P><P>Internet &lt;-&gt; PA &lt;-&gt; Ironport</P><P></P><P>where the link between PA and Ironport have 10.0.0.1/30 on your end and 10.0.0.2/30 on the Ironport end (as an example).</P><P></P><P>In your PA VROUTER you setup x.x.x.x/xx NEXTHOP 10.0.0.2.</P><P></P><P>The Ironport will then setup a default route towards 10.0.0.1 as nexthop.</P><P></P><P>There are of course other options around demending on your taste <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 01 Dec 2013 17:38:00 GMT https://live.paloaltonetworks.com/t5/general-topics/cisco-ironport-with-palo-alto-fw/m-p/16193#M11831 mikand 2013-12-01T17:38:00Z