topic Re: Paloalto firewall placement in General Topics

Paloalto firewall placement

atelcom — Tue, 30 Sep 2014 11:05:41 GMT

Hi,

i have customer who bought 2 paloalto firewall, with threat prevention and url filtering licences and i want some advice for the placement of paloalto in the architecture to ensure the maximum of security and deploy all necessary fonctionnality

please find in attach the architecture ,

knowing that :

ASA is used for :

- VPN IPSC

- managing internet traffic between dmz and untrust,

PIX:

-VPN ssl

-manage traffic ( vlan, internet)

TMG:

- publication of servers

-user authentication

-url filtering

-access control( https, http, ftp, smtp)

we can remove some equipement (like asa and tmg) and replace it by paloalto , could you please offer me some scenario

Best regards,

Sarah

Re: Paloalto firewall placement

Hithead — Tue, 30 Sep 2014 11:48:11 GMT

hi.

You can replace the TMG and ASA with the PA. Also it depents what you like to prevent or use with the PA?

Also you can (you should) configure the PA in L3. In L3 you route each traffic to the PA (and use the PA as a Router as well). I would place it next to the internet (instead of the ASA)...

Re: Paloalto firewall placement

mrsoldner — Tue, 30 Sep 2014 13:42:12 GMT

This is going to be a terribly simplistic reply - mainly because your question could be done so many ways - but I'd collapse edge security in the PAs (including URL filtering and inter-domain communication) and then collapse your VPN functionality into the ASA. ASA's untrusted says external with it's trusted interface passing through the PAs.

Re: Paloalto firewall placement

atelcom — Tue, 30 Sep 2014 14:00:07 GMT

we cant' because , if the the pa will placed in the edge , he will not recognise users

Re: Paloalto firewall placement

hshah — Tue, 30 Sep 2014 14:03:07 GMT

Hi Atelcom,

PANW is capable of following functions. So I would suggest you to replace it with ASA and PIX

- managing internet traffic between dmz and untrust,

-VPN ssl

-manage traffic ( vlan, internet)

-url filtering

-access control( https, http, ftp, smtp)

Now it can not perform following functions, you can configure authentication profiles for the same.

- publication of servers

-user authentication

Let me know your concerns in detail.

Regards,

Hardik Shah

Re: Paloalto firewall placement

atelcom — Tue, 30 Sep 2014 14:08:08 GMT

so even tmg will be removed ??

Re: Paloalto firewall placement

hshah — Tue, 30 Sep 2014 14:12:06 GMT

Hi Atelcomm,

User authentication is done by LDAP or Radius normally. So for that you dont need TMG.

I am not familiar with server publications.

Lets say if you replace ASA/PIX with PANW than for what additional purpose you might need TMG.

Regards,

Hardik Shah

Re: Paloalto firewall placement

atelcom — Tue, 30 Sep 2014 14:20:31 GMT

yes i indertstand , and i don't thin that is a big deal cause we need athentication just for url filtering and for identify users,

so we can do that in PA with user id agent ,

but all this we be so complicated for the migrantion of the old infrascture to the new one , so we need a backup plan to minimize the downtime

Regards,

Sarah

Re: Paloalto firewall placement

ssharma — Tue, 30 Sep 2014 14:31:38 GMT

Hi Sarah,

I would suggest putting the device in Vwire mode 1st. This will just be bump-in-the-wire deployment, where no L3 needs to be changed. In this scenario, you can utilize threat prevention, url filtering, user id capability, captive portal. This should not include any downtime.

Once this is done and you have all visibility to your network and traffic, you can start building configuration on the device to mimic that of ASA or tmg. You can configure IPSec, routing, L3 (You are just configuring the device at this point, where as traffic is flowing normal). Once you verify, everything is configured the way you wanted, you can migrate from other device to PA (this will involve certain downtime but will be minimal). Hope this helps. Thank you.

Re: Paloalto firewall placement

atelcom — Tue, 30 Sep 2014 15:30:11 GMT

Thank's for your return, could you please tell me were i should place it in vwire ,

cause if we place it before asa , it can't idnetify users passing through TMG

regards,

Sarah

Re: Paloalto firewall placement

ssharma — Tue, 30 Sep 2014 16:40:30 GMT

Hi Sarah,

I would put PA device in between LAN and Cisco switch. This would be least intrusive and yet give you full visibility. You can apply user id, captive portal, url filtering. Once configured for L3, you can replace it with ASA for IPsec, ssl vpn, routing etc. Thank you.

Re: Paloalto firewall placement

hshah — Tue, 30 Sep 2014 17:16:56 GMT

Hi Atelcom,

If you put firewall TAP Mode than definitely you can see the traffic. After that you will configure firewall in L3 mode for various services.

Why to take one extra step of TAP mode. I would suggest to migrate one by one all services to PANW firewall. Basically skip TAP and go for direct implementation.

Regards,

Hardik Shah

Re: Paloalto firewall placement

atelcom — Mon, 06 Oct 2014 09:26:19 GMT

Hi thanks to all for your help, i have some update for this case

Now the customer want to add a stonsoft to load balance ISP and want to manage the internet traffic by paloalto

the pix and ASA handle the vpn connection and tmg for publication

were do you think we should place the PA

Best regards,

Sarah

Re: Paloalto firewall placement

Hithead — Mon, 06 Oct 2014 10:01:43 GMT

If you like you can firewall the ASA Clients and TMG publication with vwire