topic Re: VLAN with Palo Alto Networks PA-500 in General Topics

VLAN with Palo Alto Networks PA-500

RCHAIBI — Thu, 15 Oct 2015 09:32:58 GMT

Hello,

We need to set up a VLANS in the office with the PA-500 but we don't like to change our address. It's possible to configure a VLANs with MAC address or protocole with PA-500?

Thanks

Re: VLAN with Palo Alto Networks PA-500

_slv_ — Thu, 15 Oct 2015 09:47:32 GMT

Hello

Did You read this https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-L3-Untagged-Subinterfaces-to-Communicate-within/ta-p/55830 ?

>It's possible to configure a VLANs with MAC address or protocole with PA-500?

Could You be more specific?

Regards

Slawek

Re: VLAN with Palo Alto Networks PA-500

reaper — Thu, 15 Oct 2015 11:32:24 GMT

Hi there

To enable vlan tags you should not be required to change IP addressing

assuming you start off with a simple L3 interface (let's say eth1/2) with ip range 192.168.0.0/24 which you want to move into vlan 10 it would suffice to take the following steps to make it work:

delete the ip configuration from eth1/2
create a l3 subinterface to eth1/2 and set the tag to 10,
assign it the appropriate zone and add it to the same virtual router
add the ip range to eth1/2.10
set the switch port from access to trunk and enable vlan10
commit the firewall
save/commit the switch

repeat the above process for all the vlans you want to split off, tagging each subinterface with the vlan you want to use

Re: VLAN with Palo Alto Networks PA-500

RCHAIBI — Thu, 15 Oct 2015 13:19:37 GMT

Hi,

Thank you very much for your response !

@_slv_ Yes, I read this document and want to use the mac address for not change the ip address range in our office.

@reaper Yes , I do this for the IT departments . I follow all this steps and I put the employees in the VLAN10. But for the HR departments I want to use other vlan 11 without change the IP address. It's possible to do the segmentation of the network with the mac address or the protocol ?? . Can you please help me for this

Thank you very much for your cooperation

Re: VLAN with Palo Alto Networks PA-500

reaper — Thu, 15 Oct 2015 13:31:30 GMT

ok, so all your users are located in the same subnet

on a larger platform you could enable Virtual Systems and have the 2 vlans on a different virtual instance. on a PA-500 unfortunately that is not supported, so you will probably need to segment your subnet into smaller parts to have the least impact.

we can't split that up based on MAC or protocol

Re: VLAN with Palo Alto Networks PA-500

Raido_Rattameister — Thu, 15 Oct 2015 13:32:05 GMT

Can you explain more what is your goal?

You can allow or block traffic based on source ip or source user.

Palo can't throw packets into diferent vlans based on soure mac address.

Re: VLAN with Palo Alto Networks PA-500

RCHAIBI — Thu, 15 Oct 2015 13:43:23 GMT

Hi,

@reaper Thank you very much for your response !

@Raido_Rattameister : the Goal is to do the segmentation of the network without change the ip address range . I want for exemple to do the segmentation based on MAC address of protocole .

Re: VLAN with Palo Alto Networks PA-500

Retired Member — Thu, 15 Oct 2015 14:08:34 GMT

Hi,

Its possible: put departments in different vlan's and use vwires between the vlan's to connect them.

Re: VLAN with Palo Alto Networks PA-500

Raido_Rattameister — Thu, 15 Oct 2015 14:10:50 GMT

If you really want then you can configure firewall on Layer 2 also with Palo. Then it works as a switch. You have Layer 2 zones and you can create rules between them. All machines can be in same ip range.

In this case no need to change ip addresses.

You never design this from scratch but if environment is place then it can be used as workaround.

Throwing out google search link so you can check if this is something you need.

https://www.google.ie/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=palo+alto+networks+firewall+layer+2+deployment

Re: VLAN with Palo Alto Networks PA-500

RCHAIBI — Thu, 15 Oct 2015 14:25:30 GMT

hi,

@Retired Member can you please explain more what i have doing ?

@Raido_Rattameister the only solution that i find it is to to the segmentation with ip address with subinterfaces and add the necessary tags for the vlan and in the switch i should configure a trunk port . I should in this way change the ip address range 😞

I don't know what should i do to realease my goal ?. how should i use PA-500 in L3 and L2 mode to do the segmentation without changing the ip address range ??

Thank you for all your helps

Re: VLAN with Palo Alto Networks PA-500

Raido_Rattameister — Thu, 15 Oct 2015 14:34:49 GMT

Ideal solution would be to configure vlan's on switch, place diferent workstations to seperate vlans with seperate IP subnets.

If you can't change ip addresses of your machines then you can change interface ses to Layer 2 mode.

Lets say ethernet 1 is internet zone, ethernet 2 is L2-it-department zone and ethernet 3 is L2-finance zone.

Then Palo interfaces 2 and 3 act like switch but you can create firewall rules between them.

There is some more complexity involved (like getting connectivity between L2 and L3 zones to access internet etc) but it is doable.

Re: VLAN with Palo Alto Networks PA-500

dieter_b — Thu, 15 Oct 2015 14:36:37 GMT

I'm sensing a lack of networking knowledge here ... please correct me if I'm wrong.

Putting clients in VLAN's is usually done closest to the "access" layer of a network (the access switches), not on a routing / firewall level (core).

That does not mean there's no need to use VLAN's on the firewall tho...

Use your firewall for firewalling, that's what it's designed for.

Sure, you can do it like that (different VLAN's in same addressing), but that soon will be a management nightmare that's way to complicated for what it actually only should do.

If there's a business need, I'd rather redesign the network entrely (even if means more work at first)...

Re: VLAN with Palo Alto Networks PA-500

Raido_Rattameister — Thu, 15 Oct 2015 14:52:54 GMT

Yes access switches should be configured to place users into seperate networks.

Those seperate networks come together into firewall (diferent layer 3 zones) and you create fw rules in between.

If you suddenly have to seperate existing network into diferent security zones without changing ip addresses then you can configure some interfaces as Layer 2 mode.

Lets say you configure ethernet2 and ethernet3.

You create 2 L2 zones. Lets say L2-it-departments and L2-finance.

You place ethernet2 into L2-it-department zone and ethernet3 into L2-finance zone.

You attach one switch to ethernet2 and connect all your it department computers to this switch.

You attach second switch to ethernet3 port and connect all your finance computers to that switch.

And then you can create policyes between L2-it-department zone and L2-finance zone.

They both still have same ip range in use.

You also have to have L3 vlan between virtual router and L2 zone so setting it up is a bit complicated but your local palo reseller should be able to help you out with the setup.