Implementing PA-500 Firewall along side of Cisco ASA

Reply
Highlighted
L1 Bithead

Implementing PA-500 Firewall along side of Cisco ASA

Hi there, 

 

We currently have a Cisco ASA 5512 in place, and we're planinng on implementing a PA-500 for web and app filtering. Has any one in the community ever done this before? If so, I'd greatly appreciate some advice.

 

Thank you

Highlighted
L7 Applicator

Re: Implementing PA-500 Firewall along side of Cisco ASA

I imagine that you are primarly looking to keep the 5512 for AnyConnect correct? If I already had a PA-500 the only thing that I would really want to keep the 5512 in place for is AnyConnect if I was bringing in the 500, but I also hate GlobalProtect's user interface so I'm a little biased. 

If you are looking to only have the 5512 for AnyConnect let us know and I can provide a more detailed description of how I'm doing this with our equipment.

 

If you are looking at implementing the 500 inline with the 5512 and just wish to gain the filtering capability of the 500 I would set it up as TAP and put it infront of the 5512 and frontend all traffic before it hits the 5512, the only downside to this setup would be that you will have to maintain two firewalls. 

Highlighted
L1 Bithead

Re: Implementing PA-500 Firewall along side of Cisco ASA

Thank you for your reply BPry, I'm actually looking at implementing the 500 inline with 5512 and simply using the 500 for web/content filtering. Do you happen to have any useful documentation ?

 

Thank you,

Behzad

Highlighted
L7 Applicator

Re: Implementing PA-500 Firewall along side of Cisco ASA

If that is all you are doing then simply put the device into tap mode and it will be able to look at the traffic before it enters the ASA. Simply create an 'any any' allow rule and apply a url filter profile on that rule and you should be set. Added benefit is you will be able to still take basically full advantage of most of the Palo Alto features. Find the documentation in the link below

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-De...

Highlighted
L7 Applicator

Re: Implementing PA-500 Firewall along side of Cisco ASA

you are correct, if you want to use web filtering you cannot use tap mode.  In tap mode we are looking at the stream of traffic and logging only offlline to the traffic and cannot affect it.

 

If you have a fully functional existing firewall, the simplest way to insert some PA funcationality like web filtering is to use vWire mode.  In this mode two ports of the PA are treated as a virtual wire, as if they are simply a patch cable that the traffic goes through and have now layer 2 or layer 3 impact on your existing network.

 

You disconnect the internal path of your traffic into the ASA and connect that to the trust side port of your two vWire ports.  Then run a new cable from the untrust vWire port to the ASA.  Now all your traffic can be web filtered and controled on the PA and no rules on your ASA are changed.

 

Basic instructions for this are here.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Virtual-Wire-VWire/ta-p...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!