https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22535#M16448 <HTML><HEAD></HEAD><BODY><P>You probably want to check with your SE or Reseller regarding your network architecture, but there is another option that may work for you; a Layer2 to Layer 3 connection.&nbsp; Documentation can be found at the following link:</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1067">https://live.paloaltonetworks.com/docs/DOC-1067</A></P></BODY></HTML> Tue, 27 Apr 2010 22:17:06 GMT nrice 2010-04-27T22:17:06Z https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22534#M16447 <HTML><HEAD></HEAD><BODY><P>Hoping for some clarification on using Virtual Wire to inspect traffic to our DMZ please.</P><P></P><P>Right now the external interface of our PAN has a public IP of 1.2.3.1/24.</P><P></P><P>Its default gateway is another firewall in front of it, it's internal interface has a public IP of 1.2.3.2/24.</P><P></P><P>Both of these interfaces are connected to a switch, and on that switch we also have a webserver/mail relay which have public IP's on the same 1.2.3.0/24 network, kind of like this:</P><P></P><P>LAN</P><P>|</P><P>|</P><P>PAN (external interface is in dumb switch)</P><P>|</P><P>Dumb Switch--DMZ Servers</P><P>|</P><P>Perimeter Firewall (internal interface is in dumb switch)</P><P></P><P>|</P><P>Router</P><P></P><P>I know I can bring those DMZ servers in behind another interface on the PAN and assign them private IP addresses and have the PAN do the decryption/inspection/forwarding.</P><P></P><P>I also believe I can setup a DMZ "virtual wire" which will let me do SSL decryption and threat/virus inspection without having to touch the configuration on any of those DMZ servers.</P><P></P><P>What I'm not clear on is how I'd do this, and as I don't have a PAN I can test on I'd appreciate some clarification before I do anything.</P><P></P><P>Equally if every "best practise" out there is to do this using traditional NAT tell me and I'll look at doing it this way (How do I best build up the "new" ruleset on the PAN without committing it until I'm ready, whilst being able to make changes to my running config if I need to?).</P><P></P><P>Thanks.</P></BODY></HTML> Sun, 25 Apr 2010 09:39:56 GMT https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22534#M16447 networkadmin 2010-04-25T09:39:56Z https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22535#M16448 <HTML><HEAD></HEAD><BODY><P>You probably want to check with your SE or Reseller regarding your network architecture, but there is another option that may work for you; a Layer2 to Layer 3 connection.&nbsp; Documentation can be found at the following link:</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1067">https://live.paloaltonetworks.com/docs/DOC-1067</A></P></BODY></HTML> Tue, 27 Apr 2010 22:17:06 GMT https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22535#M16448 nrice 2010-04-27T22:17:06Z https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22536#M16449 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply.&nbsp; I had a chat with Vadition and they were of the view that the simplest solution (maybe more work to get there but neater/simpler) would be to bring the hosts off a L3 interface and have a DMZ zone and do inbound NAT etc.</P><P></P><P>One question on that as I only just asked them - can you assign multiple NICs in the PAN to the same L3 interface?</P><P></P><P>I ask as we only have two DMZ hosts so it'd be nice to be able to plug them directly into the PAN vs. bringing another (small) switch into the equation.</P></BODY></HTML> Wed, 28 Apr 2010 16:51:48 GMT https://live.paloaltonetworks.com/t5/general-topics/virtual-wire-dmz-help-please/m-p/22536#M16449 networkadmin 2010-04-28T16:51:48Z