https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191626#M57692 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79072">@ddocksta</a>,</P><P>I would take a look at&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>'s excellent&nbsp;<A href="https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Setting-Up-Your-Firewall-video/ta-p/68103" target="_blank">Getting Started</A>&nbsp;guide. Once you have more specific questions it gets a little easier to help you along the way, but you shouldn't run into any issues getting this to function correctly.&nbsp;</P><P>&nbsp;</P><P>You can look at the actual PAN-OS 8.0 Getting Started documentation as well&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started" target="_blank">Admin Guide - Getting Started</A></P> Wed, 13 Dec 2017 21:54:37 GMT BPry 2017-12-13T21:54:37Z https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191584#M57688 <P>We are trying to deploy the PA 220&nbsp;at multiple sites.&nbsp; The firewall will be facing an outside internet connection protecting a production server.&nbsp; Objective 1 is to create vpn accounts for specified users and machines (using MAC addresses) to control access,&nbsp; &nbsp;Objective 2 is to block ALL other traffic (incoming/outgoing)&nbsp; &nbsp;Objective 3 Create a config that can be download to the firewall which will be updated at our home office.&nbsp;</P><P>&nbsp;</P><P>I have just recieved my PA 220 to begin testing.&nbsp; Any assistance, advice, references to docs.&nbsp; etc.&nbsp; will be appreciated.</P><P>&nbsp;</P><P>Thanks in advance&nbsp;&nbsp;</P> Wed, 13 Dec 2017 18:21:18 GMT https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191584#M57688 ddocksta 2017-12-13T18:21:18Z https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191626#M57692 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79072">@ddocksta</a>,</P><P>I would take a look at&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>'s excellent&nbsp;<A href="https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Setting-Up-Your-Firewall-video/ta-p/68103" target="_blank">Getting Started</A>&nbsp;guide. Once you have more specific questions it gets a little easier to help you along the way, but you shouldn't run into any issues getting this to function correctly.&nbsp;</P><P>&nbsp;</P><P>You can look at the actual PAN-OS 8.0 Getting Started documentation as well&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started" target="_blank">Admin Guide - Getting Started</A></P> Wed, 13 Dec 2017 21:54:37 GMT https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191626#M57692 BPry 2017-12-13T21:54:37Z https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191894#M57730 <P>Hello,</P><P>This is an interesting scenario. I did this with Cisco equipment back in the day and worked out kind of well. Of course I had to preconfigure the equipment inhouse prior to shipping and we had 3g (yes that old) connections with static IP's for easy prebuilt VPN tunnels. While I think most of the config can be a 'template', there&nbsp;are going to be some custom configs for sure.</P><P>&nbsp;</P><P>1. External IP(s), you'll need to know what they are unless you are getting DHCP from the ISP? A layer 3 interface can get its IP by DHCP.</P><P>2. Tunnel all traffic back through your data cetners main connections. This way you can NAT the servers there if they need to be access from the public internet.</P><P>3. I would create a rule on the 220's that allows the following: VPN conections from your data center IP's only. Also for the purpose of remote configuration, allow admin access to the device from your data center IP's only.</P><P>All of this followed by a DENY ALL rule which preceeds the default allow rules that are preconfigured so that your systems are safe.</P><P>&nbsp;</P><P>While some of my suggestions seem a bit old fashion, they do prevent a lot of headaches from the configuration and maintenance side of things.</P><P>&nbsp;</P><P>Just some thoughts.</P><P>&nbsp;</P><P>Cheers!</P> Fri, 15 Dec 2017 16:53:25 GMT https://live.paloaltonetworks.com/t5/general-topics/one-configuration-for-multiple-sites/m-p/191894#M57730 OtakarKlier 2017-12-15T16:53:25Z