https://live.paloaltonetworks.com/t5/general-topics/data-center-firewall-monolithic-vs-virtualized/m-p/286420#M76590 <P>This is purely theoretical and does not represent a real network.</P><P>You can think of this as on prem or public cloud:-</P><P>&nbsp;</P><P><U><STRONG>Monolithic</STRONG></U></P><P>This design utilizes 3 physical firewalls that are embedded in a data center fabric<BR />• Perimeter<BR />• B2B<BR />• DC<BR />The main focus of my question is on the DC firewall, as you can see segmentation is derived by using traditional zones. There are some people that like this design as its very simple and it has been used for years.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - monolithic.jpg" style="width: 957px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21254i3DF8359DE04A83B4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DC Firewall - monolithic.jpg" alt="DC Firewall - monolithic.jpg" /></span></P><P>&nbsp;</P><P><U><STRONG>Virtualization</STRONG></U><BR />This design utilizes 3 physical firewalls that are embedded in a data center fabric<BR />• Perimeter<BR />• B2B<BR />• Virtualized (vfw’s)<BR />The main focus of my question is on the Virtualized firewall, as you can see segmentation is derived by creating virtualized firewalls that represent the Environment that we are trying to segment. There are some people that like this design as it provides greater audit capabilities on environments like PCI x and y -</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - virtualization.jpg" style="width: 957px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21256i94C56522EC46184B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DC Firewall - virtualization.jpg" alt="DC Firewall - virtualization.jpg" /></span></P><P>&nbsp;</P><P>Can you provide a short paragraph on what your thoughts are – what do you see as the pro’s and con’s to each design.</P><P>Which one is better for on prem?</P><P>Which one is better for public cloud?</P><P>Which one would provide better audit capabilities?</P><P>Which one would provide better automation / orchestration capabilities?</P><P>Which one is more agile ?</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - virtualization.jpg" style="width: 0px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21255iA6EA7233F208BBAD/image-size/small/is-moderation-mode/true?v=v2&amp;px=200" width="0" height="0" role="button" title="DC Firewall - virtualization.jpg" alt="DC Firewall - virtualization.jpg" /></span></P> Tue, 03 Sep 2019 21:30:29 GMT mcronin 2019-09-03T21:30:29Z https://live.paloaltonetworks.com/t5/general-topics/data-center-firewall-monolithic-vs-virtualized/m-p/286420#M76590 <P>This is purely theoretical and does not represent a real network.</P><P>You can think of this as on prem or public cloud:-</P><P>&nbsp;</P><P><U><STRONG>Monolithic</STRONG></U></P><P>This design utilizes 3 physical firewalls that are embedded in a data center fabric<BR />• Perimeter<BR />• B2B<BR />• DC<BR />The main focus of my question is on the DC firewall, as you can see segmentation is derived by using traditional zones. There are some people that like this design as its very simple and it has been used for years.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - monolithic.jpg" style="width: 957px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21254i3DF8359DE04A83B4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DC Firewall - monolithic.jpg" alt="DC Firewall - monolithic.jpg" /></span></P><P>&nbsp;</P><P><U><STRONG>Virtualization</STRONG></U><BR />This design utilizes 3 physical firewalls that are embedded in a data center fabric<BR />• Perimeter<BR />• B2B<BR />• Virtualized (vfw’s)<BR />The main focus of my question is on the Virtualized firewall, as you can see segmentation is derived by creating virtualized firewalls that represent the Environment that we are trying to segment. There are some people that like this design as it provides greater audit capabilities on environments like PCI x and y -</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - virtualization.jpg" style="width: 957px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21256i94C56522EC46184B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="DC Firewall - virtualization.jpg" alt="DC Firewall - virtualization.jpg" /></span></P><P>&nbsp;</P><P>Can you provide a short paragraph on what your thoughts are – what do you see as the pro’s and con’s to each design.</P><P>Which one is better for on prem?</P><P>Which one is better for public cloud?</P><P>Which one would provide better audit capabilities?</P><P>Which one would provide better automation / orchestration capabilities?</P><P>Which one is more agile ?</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DC Firewall - virtualization.jpg" style="width: 0px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21255iA6EA7233F208BBAD/image-size/small/is-moderation-mode/true?v=v2&amp;px=200" width="0" height="0" role="button" title="DC Firewall - virtualization.jpg" alt="DC Firewall - virtualization.jpg" /></span></P> Tue, 03 Sep 2019 21:30:29 GMT https://live.paloaltonetworks.com/t5/general-topics/data-center-firewall-monolithic-vs-virtualized/m-p/286420#M76590 mcronin 2019-09-03T21:30:29Z https://live.paloaltonetworks.com/t5/general-topics/data-center-firewall-monolithic-vs-virtualized/m-p/286605#M76629 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/51263">@mcronin</a>&nbsp;</P><P>Which one is better for on prem?</P><P>Which one is better for public cloud?</P><P><FONT color="#FF0000">Stop thinking of the "cloud" and on-prem networks differently, because they aren't. The "cloud" is generally when we can get away with making the most amount of changes without major disruption because the environments are just getting built out, so most people will have more isolation in the "cloud" environment. This isn't because it's needed, it's because more people actually get to redesign their environments with a proper segmented design.&nbsp;</FONT></P><P>Which one would provide better audit capabilities?</P><P><FONT color="#FF0000">Anytime you gain more insight into the traffic, you'll have better audit abilities. In your diagram it doesn't appear like the virtualized design as seperating the different groups into different zones, so your Monolithic design actually allows more insight into the traffic and therefore allows you to better audit connections.&nbsp;</FONT></P><P>Which one would provide better automation / orchestration capabilities?</P><P><FONT color="#FF0000">They are both the same. You would have a more complex environment with multiple virtualized firewalls over a single firewall with additional zones, but your automation abilities are the same if you have one firewall or multiple.&nbsp;</FONT></P><P>Which one is more agile ?</P><P><FONT color="#FF0000">Define agile. The virtualized diagram that you have would be better suited for a move into micro-segmentation in the furture, which should really be what you are aiming for.&nbsp;</FONT></P> Wed, 04 Sep 2019 16:58:50 GMT https://live.paloaltonetworks.com/t5/general-topics/data-center-firewall-monolithic-vs-virtualized/m-p/286605#M76629 BPry 2019-09-04T16:58:50Z