https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191543#M57680 <P>Thanks Reaper.</P><P>&nbsp;</P><P>Thats the same advise as I was given yesterday re-intra-zone policies to acheive what I want so I appreciate your input and I'll rework the design.</P><P>&nbsp;</P><P>The issue of how to allocate bandwidth per client/subnet is indeed a bit harder. Based on what I've looked at and your feedback I think I need to look for another solution to manage this aspect.</P><P>&nbsp;</P><P>Cheers</P><P>Tim</P> Wed, 13 Dec 2017 15:32:33 GMT TimWarren-Oxygen 2017-12-13T15:32:33Z https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191242#M57635 <P>Hi,</P><P>I've been asked to assess if PA-820s could be used to support a smallish MSP environment and as I'm new to the PA world (and indeed MSP network design) I'm hopeful some of you can point me in the right direction. I may be going about the design wrong so do say if you think there are better/relatively cost free ways to acheive the desired outcome (i.e. utilizing existing Cisco routers for QoS).</P><P>&nbsp;</P><P>Requirements:-</P><P>Support 10-20 clients. Each client could potentially have 3 security zones. So we naturally hit a limitation as the 820 only supports 30 zones.</P><P>Apply QoS per client AND combine QoS across each of the clients security zones, primarily for bandwidth limits per customer. The issue here is that the 820 only supports QoS applied to physcial interface and not the subs. i.e client would purchase x Mbps of bandwidth to be shared by all zones.</P><P>&nbsp;</P><P>&nbsp;</P><P>Initial idea:</P><P>PA has 4 ports and the zone outline would be:</P><P>1. Internet (Untrusted)</P><P>2.&nbsp;Internal zones (with each client having a tagged sub-int and associated security zone). This would connected to virtualisation platform.&nbsp;</P><P>3. DMZ zones (with each client having a tagged sub-int and associated security zone).</P><P>3. WAN zones (as above leading to customer site)</P><P>&nbsp;</P><P>Issues with 820s as I initally look at it:</P><P>Security zone limit</P><P>No QoS on sub-interfaces</P><P>I could live with not having a combined QoS as customers would generally fall into two categories.</P><P>a. Those only needing a WAN zone</P><P>b. Those that have hosted environment typically utilise a terminal server solution so with management most traffci to/from internet can pass either through the Internal zone and/or web gateway within DMZ zone.</P><P>&nbsp;</P><P>I've attached a high level overview of what I envisage a single customer would look like.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Generic Customer Network" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12953i45A082F7910BD0D9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Generic Customer.png" alt="Generic Customer Network" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Generic Customer Network</span></span></P><P>I know I'm asking a lot of you!</P> Tue, 12 Dec 2017 02:33:41 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191242#M57635 TimWarren-Oxygen 2017-12-12T02:33:41Z https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191541#M57679 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77495">@TimWarren-Oxygen</a></P> <P>&nbsp;</P> <P>Interesting design. Why are you placing each client in it's own subinterface? To save on zones, you can also set all (or most) the subinterfaces on one physical to the same zone and then create an intra-zone policy to block/allow or simply scan. This woiuld spare you a bunch of zones as these 20*3 clients/zones could be served by 3 distinct zones.</P> <P>&nbsp;</P> <P>QoS may not scale as there's only 8 classes (QoS is mostly geared toward controlling groups of applications rather than unique sources) but I guess you could if you wanted to by applying a profile to source interface or subnet:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sourced QoS.png" style="width: 600px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12986i5C80C31EF22AAD95/image-size/large?v=v2&amp;px=999" role="button" title="sourced QoS.png" alt="sourced QoS.png" /></span></P> Wed, 13 Dec 2017 15:21:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191541#M57679 reaper 2017-12-13T15:21:32Z https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191543#M57680 <P>Thanks Reaper.</P><P>&nbsp;</P><P>Thats the same advise as I was given yesterday re-intra-zone policies to acheive what I want so I appreciate your input and I'll rework the design.</P><P>&nbsp;</P><P>The issue of how to allocate bandwidth per client/subnet is indeed a bit harder. Based on what I've looked at and your feedback I think I need to look for another solution to manage this aspect.</P><P>&nbsp;</P><P>Cheers</P><P>Tim</P> Wed, 13 Dec 2017 15:32:33 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/191543#M57680 TimWarren-Oxygen 2017-12-13T15:32:33Z https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/192265#M57773 <P>I wonder if you might not be better off scaling with a VM host server setup and just spinning up virtual PA per client.</P><P>&nbsp;</P> Tue, 19 Dec 2017 13:30:05 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-820-am-i-asking-too-much/m-p/192265#M57773 pulukas 2017-12-19T13:30:05Z