https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/141110#M48335 <P>A quick&nbsp;follow up. I decided to leave it in the LAN despite the little downsides. I realized that it could potentially store sensetive data that should not be exposed in a DMZ kind of a network segement. Also, it would make integration with internal DNS, User-ID agents, etc. easier.</P><P>Just in case this helps someone...</P> Sat, 04 Feb 2017 09:44:38 GMT Retired Member 2017-02-04T09:44:38Z https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139730#M48170 <P>I have deployed Panorama in our LAN and plan to manage a global install. Now I realized that remote firewalls cannot reach it until they have their VPN setup (which I prefer to do using Panorama too).</P><P>&nbsp;</P><P>What is the best practice to solve this? Should Panorama reside in a DMZ and have managed firewalls communicate over the Internet to a public IP?</P><P>&nbsp;</P> Fri, 27 Jan 2017 10:58:04 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139730#M48170 Retired Member 2017-01-27T10:58:04Z https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139892#M48192 <P>I've not seen a recomendation in the PA documents but I have done this type of management using both methods. &nbsp;Personally I prefer the public address connect method. &nbsp;I like to setup and manage the VPN as you mention but also if there are issues with the VPN then mgmt is still available as long as the internet link itself is up.</P><P>&nbsp;</P><P>You identify the advantages and disadvantages for the main features. &nbsp;If you decide to go with the public address management be sure to setup specific rules that only permit access to the branch devices from the Panorama NAT address. &nbsp;Make sure the surface area opened is the minimum needed.</P> Sat, 28 Jan 2017 19:23:24 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139892#M48192 pulukas 2017-01-28T19:23:24Z https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139897#M48193 <P>Thanks</P> Sat, 28 Jan 2017 21:34:45 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/139897#M48193 Retired Member 2017-01-28T21:34:45Z https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/141110#M48335 <P>A quick&nbsp;follow up. I decided to leave it in the LAN despite the little downsides. I realized that it could potentially store sensetive data that should not be exposed in a DMZ kind of a network segement. Also, it would make integration with internal DNS, User-ID agents, etc. easier.</P><P>Just in case this helps someone...</P> Sat, 04 Feb 2017 09:44:38 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/141110#M48335 Retired Member 2017-02-04T09:44:38Z https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/141117#M48340 <P>All good reasons for the internal side connections.</P><P>&nbsp;</P><P>You have a good handle on the benefits each way. &nbsp;I'm sure your deployment will go well.</P> Sat, 04 Feb 2017 12:07:15 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-location-best-practice/m-p/141117#M48340 pulukas 2017-02-04T12:07:15Z