https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387686#M90408 <P>Hi All,</P><P>&nbsp;</P><P>Just looking for advise , pros vs cons about connecting an ISP internet feed directly to our core mpls/vpls switch. &nbsp;<BR /><BR /></P><P>ISP Internet Router—&gt;adva—&gt;Core Switch(siteA)—&gt;mpls/vpls—&gt;Core Switch(siteB)—&gt; Palo Alto</P><P>&nbsp;</P><P>The PA firewall will have a separate VR and will nat traffic from 10.x LAN to Public before routing out to Internet via core. &nbsp;<BR /><BR />There is ospf routing on all cores and distribution switches connecting to cores as well as L2/L3 traffic from other sites.</P><P>&nbsp;</P><P>Is this acceptable and what are the security concerns?&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Feb 2021 01:22:56 GMT MistryJa 2021-02-25T01:22:56Z https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387686#M90408 <P>Hi All,</P><P>&nbsp;</P><P>Just looking for advise , pros vs cons about connecting an ISP internet feed directly to our core mpls/vpls switch. &nbsp;<BR /><BR /></P><P>ISP Internet Router—&gt;adva—&gt;Core Switch(siteA)—&gt;mpls/vpls—&gt;Core Switch(siteB)—&gt; Palo Alto</P><P>&nbsp;</P><P>The PA firewall will have a separate VR and will nat traffic from 10.x LAN to Public before routing out to Internet via core. &nbsp;<BR /><BR />There is ospf routing on all cores and distribution switches connecting to cores as well as L2/L3 traffic from other sites.</P><P>&nbsp;</P><P>Is this acceptable and what are the security concerns?&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 25 Feb 2021 01:22:56 GMT https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387686#M90408 MistryJa 2021-02-25T01:22:56Z https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387711#M90412 <P>Hi Mate,</P><P>I am not sure about the other networks connected to your core, but the basic priniciple is to have your firewall as close to the perimeter as possible. Firewall is your first line of defence and not last.</P><P>&nbsp;</P><P>It is a better design to filter all the traffic through firewall on site A, before being sent out to site B.&nbsp;</P><P>&nbsp;</P><P>So what you have is feasible, but your call where you would like to have it. For me site A makes more sense.</P><P>&nbsp;</P><P>Regards,</P><P>Varun Rao</P> Thu, 25 Feb 2021 04:08:14 GMT https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387711#M90412 VarunRao 2021-02-25T04:08:14Z https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387721#M90414 <P>Hello Varun,</P><P>&nbsp;</P><P>Even if the static routing ensures that traffic gets routed directly to the firewall ?&nbsp;<BR /><BR />Regards,</P><P>&nbsp;</P> Thu, 25 Feb 2021 05:54:06 GMT https://live.paloaltonetworks.com/t5/general-topics/isp-router-connection-best-practice/m-p/387721#M90414 MistryJa 2021-02-25T05:54:06Z