Using Global Protect Internally - Several Questions

Scott_Sadlocha — Wed, 28 Oct 2015 22:41:55 GMT

I am fairly new to the world of Palo Alto, so I apologize if this is answered elsewhere. My team is looking at an implementation scenario, and I have several questions as a result. I figured this community would be the best place to start.

We are currently looking to implement Global Protect internally, as a possible replacement for Cisco NAC for our individual system posture checking. We are aware that this isn't true port level security as NAC is, but think it may be a suitable replacement because of the functionality it has. I have recently implemented GP for external connections to our DR site, so I am familiar with the setup in that scenario, and the overall general setup of the solution. Our idea is to filter all traffic through PAs, peforming posture checks on individual systems and allow access once HIP match passes.

We are looking to set up a POC of this, using one floor on one wing of our building, consisting of about 200 users. Some of our questions center around how best to accommodate wireless traffic. This is internal traffic, not guest, our own users on wifi. We are a Cisco wireless customer, using Cisco WLCs for our clients. Would it be best to route traffic from the WLCs to the PAs to authenticate users, perform HIP check, and pass traffic? Is this where Captive Portal might come into play?

Additional questions revolve around what type of access individual systems will have, and how best to control traffic. The way I am understanding it, all systems would have access to each other until the posture check is done. That is, they will connect to an open VLAN, communicate to the primary PA GP Gateway, and then be passed on once the posture check is done.

Lastly, we are wondering about what type of performance we can expect. I haven't been able to find reliable figures as to what we might be looking at. We have about 1450 users, and will possibly be growing to about 2000 in the next couple years. We have all features (App-ID, URL Filtering, Wildfire, etc.) turned on. We currently have a number of 3050s in place and are curious if these can be used, or if we should be eyeing the larger 5000 series.

I know this is just a basic rundown, but if anyone can provide additional information or highlights from their experience implementing a similar scenario, I would greatly appreciate it. Even if it is pointing to specific documentation or posts. If I need to detail anything further, please let me know.

Re: Using Global Protect Internally - Several Questions

OtakarKlier — Thu, 29 Oct 2015 16:36:55 GMT

Hello,

That is an interesting solution to the NAC issue most of us are going to run into. I have heard of internal VPN being used to encrypt data in flight, but not as a NAC solution. I would also be interested in eharing your results and gotchas that you run into.

As for the capacity, you may want to check the specs on the different models to see how many tunnels they can handel. Also look at the large scale deployment model.

https://live.paloaltonetworks.com/t5/Documentation-Articles/Large-Scale-VPN-LSVPN-Deployment-Guide/ta-p/53091

Regards,

topic Re: Using Global Protect Internally - Several Questions in General Topics

Using Global Protect Internally - Several Questions

Re: Using Global Protect Internally - Several Questions