topic Re: recommendation when putting the Palo Alto in a vwire mode. in General Topics

recommendation when putting the Palo Alto in a vwire mode.

nson2139 — Thu, 25 Oct 2018 13:55:28 GMT

Folks,

we have a switch to switch routing protocol running and the requirement is to put a palo alto in a vwire mode on such an environent. Please see the file attached with tis post.

Now, the catch to this is the "switch-out" forms neighbours with "switch-01" and "switch-02" and packets going inside one link could come out of the other. I just wanted to ensure that this will not cause any packets drops as long as the zones are correctly configured.

also, from a very high level what configuration would be needed? Convert each interface to a vwire? add the zones? add the policies? anything else?

Thanks!!!

Re: recommendation when putting the Palo Alto in a vwire mode.

Raido_Rattameister — Thu, 25 Oct 2018 16:07:06 GMT

Does it have to be virtual wire?

What if you configure those 4 Palo interfaces in Layer 2 mode.

Set Ethernet 1 and 3 into one Aggregate Group.

Set Ethernet 4 and 6 into second Aggregate Group.

In this case all packets from same communication are correctly matched into correct session in Palo.

Re: recommendation when putting the Palo Alto in a vwire mode.

nson2139 — Thu, 25 Oct 2018 16:28:09 GMT

thanks for the comments mate!!

Yes, it has to be virtual wire becuase we do not want to disturb anything in the existing setup. There is already routing protocols running between the switches and we want to retain that.

The firewall should maintain the state table from one zone to the other, right?

if yes, this should work without any challenges from what I think.

Re: recommendation when putting the Palo Alto in a vwire mode.

Raido_Rattameister — Thu, 25 Oct 2018 17:03:58 GMT

Hey I checked and virtual wire allows multiple interfaces in it also using aggregates.

Re: recommendation when putting the Palo Alto in a vwire mode.

nson2139 — Thu, 25 Oct 2018 18:24:56 GMT

yes, I agree. But in my case the switches are on a single interface. There is no point using the aggregate interfaces. 🙂

aggregate interface would be needed if they are also connected to the same switch ...right?

Re: recommendation when putting the Palo Alto in a vwire mode.

Raido_Rattameister — Thu, 25 Oct 2018 18:22:08 GMT

It is not about switch. It is for Palo so that all packets both ways would be combined together into single virtual wire in Palo standpoint so it could correctly perform AppID and threat prevention.

Re: recommendation when putting the Palo Alto in a vwire mode.

nson2139 — Fri, 26 Oct 2018 08:11:05 GMT

ok, understood. However, do you see a potential issue that could occur in the ealier design?

The firewall should still be able to keep session information if the packet comes inside over one path and goes out via the other, right?

Re: recommendation when putting the Palo Alto in a vwire mode.

Raido_Rattameister — Fri, 26 Oct 2018 18:34:09 GMT

When you create Aggregate Ethernet Interface in Palo you leave LACP disabled so switches are not aware that this traffic is merged in firewall.

How should firewall otherwise merge packets passing over different interfaces together into same session?

Re: recommendation when putting the Palo Alto in a vwire mode.

Raido_Rattameister — Fri, 26 Oct 2018 18:42:22 GMT

Gave this another thought and you would need to test how traffic exits from vw. Might not exit from interface you need.

Do you have single firewall or HA pair.

If HA pair then maybe it can be designed using A/A setup.