https://live.paloaltonetworks.com/t5/general-topics/installing-a-pair-of-850s-and-a-pair-of-3260s-this-weekend/m-p/216845#M62771 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/88384">@campbech1</a>,</P><P>You could through the use of application override policies and simply disabling all profiles assigned to the appropriate security policies. The real question would be if the backups really need to happen at line speed or if you could still leave at least app-id enabled so you can verify that it's at least backup traffic.&nbsp;</P><P>The issue with what you are proposing is that the application override policy stops app-id and then if you are disabling threat identification on this traffic you essentially say that anything from/to your backup server from/to your servers is perfectly fine. I would only&nbsp;<EM>think</EM> of doing this if your backup system is completely offline and managed through an offline computer. If that backup system becomes infected you are giving it a very easy path to spread throughout your environment.&nbsp;</P> Wed, 06 Jun 2018 13:48:17 GMT BPry 2018-06-06T13:48:17Z https://live.paloaltonetworks.com/t5/general-topics/installing-a-pair-of-850s-and-a-pair-of-3260s-this-weekend/m-p/216825#M62768 <P>We have had some requirements change since ordering this equipment and may change direction on where these new firewalls get installed.</P><P>&nbsp;</P><P>Initially we ordered the 3260s for our hosted data center since most of the servers are located there and vendor provided backup solution is there. The concern was the amount of traffic that we would be pushing through the firewall during backup times. All of the server VLANs&nbsp;are terminated on the firewalls. That direction is changing now. We are looking to move the servers back to our corporate location where we had planned on the 850s to be installed.</P><P>&nbsp;</P><P>A&nbsp;long term direction was proposed today to bring these servers back in-house by the end of the year which changes where I potentially place these firewalls. I'm now looking at installing the 850s at the hosted data center and the 3260s at our corporate location (data center).</P><P>&nbsp;</P><P>Am I able to write a policy to allow hosts to talk to other hosts through the firewall but to disable the APP-ID and threat prevention policies to allow traffic to flow at the 10G speeds? This would be related to backup traffic in particular.</P><P>&nbsp;</P><P>Thank you in advance. This should be an interesting weekend installing these since I've been a Cisco engineer for the past 20 years.</P> Wed, 06 Jun 2018 12:52:45 GMT https://live.paloaltonetworks.com/t5/general-topics/installing-a-pair-of-850s-and-a-pair-of-3260s-this-weekend/m-p/216825#M62768 campbech1 2018-06-06T12:52:45Z https://live.paloaltonetworks.com/t5/general-topics/installing-a-pair-of-850s-and-a-pair-of-3260s-this-weekend/m-p/216845#M62771 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/88384">@campbech1</a>,</P><P>You could through the use of application override policies and simply disabling all profiles assigned to the appropriate security policies. The real question would be if the backups really need to happen at line speed or if you could still leave at least app-id enabled so you can verify that it's at least backup traffic.&nbsp;</P><P>The issue with what you are proposing is that the application override policy stops app-id and then if you are disabling threat identification on this traffic you essentially say that anything from/to your backup server from/to your servers is perfectly fine. I would only&nbsp;<EM>think</EM> of doing this if your backup system is completely offline and managed through an offline computer. If that backup system becomes infected you are giving it a very easy path to spread throughout your environment.&nbsp;</P> Wed, 06 Jun 2018 13:48:17 GMT https://live.paloaltonetworks.com/t5/general-topics/installing-a-pair-of-850s-and-a-pair-of-3260s-this-weekend/m-p/216845#M62771 BPry 2018-06-06T13:48:17Z