topic Re: best design for a small network in General Topics

best design for a small network

Perseus — Wed, 24 Aug 2016 06:47:45 GMT

Good morning, We just got a Palo Alto Firewall for a small testing lab with several virtual servers and clients. The firewall will be then connected between the lab and our ISP gateway. Most of the network traffic will be internal, since the clients will be connecting to the servers with a switch, and the switch will then be connected to the FW. However, we will have a few clients (3 or 4) that will connect directly to the FW, so for the servers will appear they are connecting from outside. Besides the application testing inside the network lab, the most important will be allowing all these clients to get updates from the internet. We don’t have much experience configurating the palo alto FW, but we would like to make sure nothing nasty is coming from outside. Could you please give us some advice about what design could be better for it (Virtual Wire, L3, L2, etc)? Thanks in advance,

Re: best design for a small network

reaper — Wed, 24 Aug 2016 07:55:26 GMT

depending on how you want to split up your IP subnet (or not at all) you could go for a full layer3 config and create a DMZ zone, trust zone and untrust zone, each with their own subnet

you'd put all your laptops/desktops in the trust zone/subnet, all the servers in the dmz zone/subnet and hook up the ISP to the untrust

you'll now be able to create security policies between each zone, tailored to the specific access each zone requires to the destination zone (eg. trust + dmz ssl + web-browsing out for surfing and updates, trust to dmz all sorts of control applications (rdp, http, ssh, db,...) and only the strictly required apps from untrust to dmz (ssl, http,...)

alternatively if you'd prefer to keep all local hosts in the same IP subnet, you could create an internal layer2 setup with 2 or more interfaces in layer2, with l3 routing enabled. you can then hook up all the laptops/desktop to one interface. all the servers to the other interface, they'll all act as if they're on the same 'switch' but the firewall will be able to inspect traffic between the 2 virtual segments

please check out these Getting Started articles for some more info on each deployment:

Getting Started: The Series

Re: best design for a small network

Perseus — Wed, 24 Aug 2016 10:48:04 GMT

Thank you very much for your prompt answer. I believe there will not be needed to have the hosts in different IP subnets. To be more précised about the layout of the network, we have: ISP – FW – Switch1 – 5 client PCs – Switch2 – NAS, plus another 3 client PCs (simulating remote connections) connected between the FW and the switch2 (i.e. ISP - FW – 3 client PCs – switch2 – NAS). Basically, swtch1 could be directly connected to one FW interface, but the other 3 PCs I am assuming we may have to use separated FW interfaces per each one if there is not other better option. thanks again for your time,

Re: best design for a small network

santonic — Wed, 24 Aug 2016 11:15:35 GMT

You're mixing L2 and L3.

As far as logical L3 topology I'd suggest seperating NAS from client segment.

Put PA in center of your network, make 3 layer 3 interfaces:

- 1 interface for ISP link however it needs to be configured, zone untrust/internet....

- 1 interface for clients, zone trust/lan...

- 1 interface for SAN and other servers, zone server/DMZ...

Use both curent switches as L2 access switches; one for clients, one for servers.

Re: best design for a small network

Perseus — Thu, 25 Aug 2016 06:02:26 GMT

Thanks for your advice. Using virtual wire could simplify things from the perspective of FW configuration, but what you propose makes definetly more sense for a more granular security scheme.