https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41542#M30542 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>At a recent PA training, the instructor mentioned a testing method for testing the configuration of VWire objects and the traffic flow, as configured in your Security Policy.&nbsp; The goal of this method is the ability to do testing in a lab environment vs. testing your traffic flow after you've put the device into production.</P><P></P><P>With your device in a lab environment and the VWire objects and interfaces configured, you connect ethernet to two ports you're testing.&nbsp; To that you connect two switches and one laptop to either swtich (two laptops total).&nbsp; You then set each laptop's gateway to the other laptop and see if you can connect.</P><P></P><P>By reaching the laptop over the other port, you're able to determine that your security policy between those two zones is configured as needed.&nbsp; And you repeat this for your other ports/zones to test inter-zone traffic.</P><P></P><P>Is anyone able to confirm this method or offer a suggestion on testing VWires object / zone / Security Policy configurations prior to deploying the PA into production?&nbsp; Thanks</P></BODY></HTML> Fri, 02 Aug 2013 16:39:04 GMT Mic 2013-08-02T16:39:04Z https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41542#M30542 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>At a recent PA training, the instructor mentioned a testing method for testing the configuration of VWire objects and the traffic flow, as configured in your Security Policy.&nbsp; The goal of this method is the ability to do testing in a lab environment vs. testing your traffic flow after you've put the device into production.</P><P></P><P>With your device in a lab environment and the VWire objects and interfaces configured, you connect ethernet to two ports you're testing.&nbsp; To that you connect two switches and one laptop to either swtich (two laptops total).&nbsp; You then set each laptop's gateway to the other laptop and see if you can connect.</P><P></P><P>By reaching the laptop over the other port, you're able to determine that your security policy between those two zones is configured as needed.&nbsp; And you repeat this for your other ports/zones to test inter-zone traffic.</P><P></P><P>Is anyone able to confirm this method or offer a suggestion on testing VWires object / zone / Security Policy configurations prior to deploying the PA into production?&nbsp; Thanks</P></BODY></HTML> Fri, 02 Aug 2013 16:39:04 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41542#M30542 Mic 2013-08-02T16:39:04Z https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41543#M30543 <HTML><HEAD></HEAD><BODY><P>Thats an easy test to begin with. But you will only be able to test minimal traffic between the 2 laptops. The real load test would be when you pass pre-production traffic, with the PANFW, inline with the netwok ( before you replace your existing firewall with the PANFW ), without disturbing your existing layer 3 setup.</P><P></P><P>------------ internal networl---------- inside vwire inter-------------PANW----------outside vwire interface -------------router/firewall---------internet cloud</P><P></P><P>The PANFW will act as an IPS, process the traffic, matching for the applications and looking for threats.</P><P></P><P></P><P>BR,</P><P>karthik </P></BODY></HTML> Fri, 02 Aug 2013 17:25:47 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41543#M30543 kprakash 2013-08-02T17:25:47Z https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41544#M30544 <HTML><HEAD></HEAD><BODY><P>Right, it's a very basic initial test with the goal being sure that your Security Policy allows all your inter-zone traffic.&nbsp; I'm hoping to get details from others that have tested VWire configurations in a lab environment, without having to generate traffic from different networks to test the Source&lt;-&gt;Destination allows in the Security Policy.</P></BODY></HTML> Fri, 02 Aug 2013 17:32:42 GMT https://live.paloaltonetworks.com/t5/general-topics/vwire-configuration-testing/m-p/41544#M30544 Mic 2013-08-02T17:32:42Z