https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1028#M807 <HTML><HEAD></HEAD><BODY><P>...terminate one or two of your sites to the Palo and evaluate it <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>We just migrated to Palo firewalls and we switched our IPSec VPN architecture over also. We have Cisco routers at a dozen or so remote sites with static public IPs that terminate thier IPSec tunnels back to the Palos at HQ. Prior to switching our VPN over, I did a lot of lab testing with different IPSec VPN scenarios such as full mesh, hub/spoke, static VPN routes and found that I found that the Palos are very versatile and and seem to handle almost any design.</P><P></P><P>We use Cisco at the remote sites, but Juniper routers should work just as well...the SRX series for example, can do policy based or route based VPN. I used this guide for our set up...but for your Juniper routers you will just have to do some lab testing for the VPN termination architecture.</P><P></P><P><SPAN style="font-size: 10.5pt; color: black;">How to Configure Dynamic Routing over IPSec against Cisco routers:</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;"><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2250">https://live.paloaltonetworks.com/docs/DOC-2250</A></SPAN></P><P></P><P>As for your stability comment about Juniper releases...I know what you mean. We use the Juniper SA Series and the software releases upset stuff very frequently.</P><P>The stability of your new design would be determined by how often you upgrade software on your remote Juniper routers and on the Palo. Because you will be working with the dedicated Palo hardware (vs your current VPN termination approach using the Juniper NSM), I don't expect core features (such as IPSec) on the Palo changing as much where it should cause stability issues with VPN tunnels.</P></BODY></HTML> Fri, 10 Aug 2012 14:17:38 GMT panman 2012-08-10T14:17:38Z https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1026#M805 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>is anyone managing this with let's say 50 sites and multiple connections (Internet, MPLS). </P><P></P><P>Currently we are using Juniper and the VPN manager inside the central management (NSM) does this job for us. The good thing is that when you have found a NSM release which is working and has no show stopping bugs it is running really well.</P><P></P><P>How does Palo Alto solve this.</P><P></P><P>Thanks for helping me <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Fri, 06 Jul 2012 12:13:23 GMT https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1026#M805 hag 2012-07-06T12:13:23Z https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1027#M806 <HTML><HEAD></HEAD><BODY><P>Anyone?</P></BODY></HTML> Fri, 10 Aug 2012 08:17:32 GMT https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1027#M806 hag 2012-08-10T08:17:32Z https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1028#M807 <HTML><HEAD></HEAD><BODY><P>...terminate one or two of your sites to the Palo and evaluate it <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>We just migrated to Palo firewalls and we switched our IPSec VPN architecture over also. We have Cisco routers at a dozen or so remote sites with static public IPs that terminate thier IPSec tunnels back to the Palos at HQ. Prior to switching our VPN over, I did a lot of lab testing with different IPSec VPN scenarios such as full mesh, hub/spoke, static VPN routes and found that I found that the Palos are very versatile and and seem to handle almost any design.</P><P></P><P>We use Cisco at the remote sites, but Juniper routers should work just as well...the SRX series for example, can do policy based or route based VPN. I used this guide for our set up...but for your Juniper routers you will just have to do some lab testing for the VPN termination architecture.</P><P></P><P><SPAN style="font-size: 10.5pt; color: black;">How to Configure Dynamic Routing over IPSec against Cisco routers:</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;"><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-2250">https://live.paloaltonetworks.com/docs/DOC-2250</A></SPAN></P><P></P><P>As for your stability comment about Juniper releases...I know what you mean. We use the Juniper SA Series and the software releases upset stuff very frequently.</P><P>The stability of your new design would be determined by how often you upgrade software on your remote Juniper routers and on the Palo. Because you will be working with the dedicated Palo hardware (vs your current VPN termination approach using the Juniper NSM), I don't expect core features (such as IPSec) on the Palo changing as much where it should cause stability issues with VPN tunnels.</P></BODY></HTML> Fri, 10 Aug 2012 14:17:38 GMT https://live.paloaltonetworks.com/t5/general-topics/full-mesh-or-hub-and-spoke-vpns-running-ospf/m-p/1028#M807 panman 2012-08-10T14:17:38Z