https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33972#M24911 <HTML><HEAD></HEAD><BODY><P>if we can do in vwire it would be great , but can you explain more please..</P></BODY></HTML> Wed, 13 Jun 2012 11:13:32 GMT LCMember4717 2012-06-13T11:13:32Z https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33970#M24909 <HTML><HEAD></HEAD><BODY><P>hi all,</P><P></P><P>i need to setup two PA-2050 ( HA mode ) but am not sure about the design were i need some help her, the customer network is devided into vlans and they all communicato to each other through the corre switch ( cisco 6500) and if they require internet access the core switch will route them to a firewall ( firewall module in the core sw ) , now obviously i cant setup the appliances in vwire mode since there are no physical cables ( all virtual links and vlan ) so i was thinking to make a defult route on the customer switch to redirect internet traffic to the PA device then it routes back to the core sw , not wccp as i know they call this one leg setup am just wondering if it can achieved by the PA appliance .</P><P></P><P>am attaching a diagram of what am looking for .</P><P><IMG alt="Dasman_setup.jpg" class="jive-image-thumbnail jive-image" onclick="" src="https://live.paloaltonetworks.com/legacyfs/online/3065_Dasman_setup.jpg" width="450" /></P></BODY></HTML> Tue, 12 Jun 2012 15:23:23 GMT https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33970#M24909 LCMember4717 2012-06-12T15:23:23Z https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33971#M24910 <HTML><HEAD></HEAD><BODY><P>Hi...To do the one arm routing, we would have to redirect traffic from the VLANs to the PA device before it reaches the fw module.&nbsp; We then have to NAT at the PA device to ensure the return packets come back to the PA device, or redirect the inbound traffic at the sw as well.&nbsp; Otherwise the fw module would forward the replies to the users and bypass the PA device.&nbsp; We need to maintain session state on the PA device.</P><P></P><P>Another option is to do L2 bridging and configure the PA device in vwire mode.&nbsp; Put the fw module on a standalone vlan and aggregate the user vlans onto a 2nd standalone vlan.&nbsp; Use the vwire to bridge the two standalone vlans.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 12 Jun 2012 16:48:17 GMT https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33971#M24910 rmonvon 2012-06-12T16:48:17Z https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33972#M24911 <HTML><HEAD></HEAD><BODY><P>if we can do in vwire it would be great , but can you explain more please..</P></BODY></HTML> Wed, 13 Jun 2012 11:13:32 GMT https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33972#M24911 LCMember4717 2012-06-13T11:13:32Z https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33973#M24912 <HTML><HEAD></HEAD><BODY><P>For the vwire option, we would need to use a vlan bridge as shown in the attached diagram.&nbsp; We need to create 2 isolated vlans and they are depicted as untrust and trust vlans.The vwire would act as a bridge and traffic would flow through the PAN device.&nbsp; Thanks.</P></BODY></HTML> Wed, 13 Jun 2012 13:27:40 GMT https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33973#M24912 rmonvon 2012-06-13T13:27:40Z https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33974#M24913 <HTML><HEAD></HEAD><BODY><P>AM testing the one arm routing do I need to have PBF to instruct the traffic to leave from the same interface again because it's reaching the PA but it drops then .</P><P></P><P>Thanks.</P></BODY></HTML> Sun, 17 Jun 2012 21:22:36 GMT https://live.paloaltonetworks.com/t5/general-topics/one-leg-setup-clarification/m-p/33974#M24913 LCMember4717 2012-06-17T21:22:36Z