Dual Firewall pair-True DMZ design

L4 Transporter

Dual Firewall pair-True DMZ design

Hello All,


I am looking for any helpful suggestions,recommendations,critics etc for my new firewall design implementation project.

currently, we have a pair of 5020s facing the internet and having DMZs,Internet and Internal networks on them. My management would like me to implement a "True DMZ" with new 5220s for greater ssl decryption capabilities(Refer the link for a sample diagram: https://security.stackexchange.com/questions/54278/dual-firewall-dmz )

can someone please shed some light on this design and the benfits it can buy us? Also is it worth spending money and effort?



L6 Presenter

Re: Dual Firewall pair-True DMZ design

Oooooohhh.... tricky one....


so many questions could be slung at solving this equation....


for me none of the above....  but of course we do not all have the same coloured eyes....


three leg single firewall, simple...  no brainer if you have one website to download a resteraunt menu... simples...


however,, as things get busy then all dmz traffic is in and out of the same interface... tromboning..


so dual firewall is good for our environment. User connects from outside to external firewall, external nat to dmz. User connection stops there. Dmz server, proxy,rdp gateway or load balancer, yes load balancer that adopts fully proxied archtecture then does all the backend stuff via the internal firewall to the private network if needs be...


Users outgoing connections do not pass through the dmz, they go direct to external firewall.


perhaps old school but nothing passes directly through our dmz. If traffic does pass through the dmz then it becomes an intermediate network instead, so if you require internal gweneth paltros to increase ssl decryption then perhaps do an intermediate hop to externals.


but any of your options are acceptable and doable..


is it worth the additional costs... well if you need it then of course...

L4 Transporter

Re: Dual Firewall pair-True DMZ design

@MickBall Thank you so much for the response. We have internal users connecting to DMZ servers and DMZ servers connecting to internal servers. Besides providing a cleaner design, is it going to provide me any more security benefits?

I mean for eg: if an attacker gained access to my dmz server through external firewall by evading detection, there is nothing stopping him through internal firewall to internal server on specific port(based on the security policy) because both of them are Palo.I do see a great advantage of this design by employing 2 different firewall vendors but not single.

please correct me if I am wrong and feel free to add some points.

L6 Presenter

Re: Dual Firewall pair-True DMZ design

No you are not wrong regarding your security concerns...


no matter how many firewalls you have  and what flavour they are you cannot guarantee with your life that something cannot penetrate your defenses, you can throw all the security scans in the world but they  willl not test for unknown, yet to be developed threats... who knows whats around the corner...


but, you can do your best, nothing else....


in your example of web server in dmz..... very unlikely that hacker can get onto server via https and then jump to private network.


however... your private users have access to the server, and an attacker on a compromised dmz server could piggy back or inject pages into your private users return traffic as this is how stateful firewalls work.


the above is a wild over imaginative view of what may happen but its an overview of what could happen...


we do not allow web servers in dmz because of the possibility of the above.


as previous post.. we only have reverse proxies, rdp gateways and load balancers plus some ftp stuff in our dmz.


we do have different  brand firewalls but this is not for security, more budget..


our private net to dmz only does ip and port and a bit of nat.


i have gone on a bit but if you are using web servers on dmz then no major security advantage on twin firewalls but if you have tens of thousands of sessions then perhaps yes, it all depends on your setup.










Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!