I'm currently working on a migration project from Sonicwall (SW) to Palo Alto 3020 (PA) and I need to buy myself some time. For now, I'd like to place the SW inside of the PA so that LAN-WAN traffic will enjoy the benefits of Wildfire, Antivirus, App-ID, and threat detection. Things get a bit complicated, though, due to the SW doing NAT, Ipsec site-site VPN, and SSL VPN (for now).
Originally I was thinking of creating a bidirectional NAT on PA that would map the old public address of the SW to a new private address that I'd assign to the SW public interface.
But I'm thinking it might be simpler to make use of Layer 2 interfaces on PA. Here I'd create two layer 2 interfaces:
Interface A would connect to the Internet router via switch A.
Interface B would connect directly to the SW public interface.
Now I don't have to renumber the SW public interface at all.
Thanks in advance for any advice!
Solved! Go to Solution.
You could use vwire interfaces on the PA so that you don't have to worry about changing IP addresses. If you do that, it might make more sense to put the PA on the trusted side of the SW so that you can do the various inspections on the real addresses instread of on a translation address and port.
Interesting. I had considered a virtual wire but I'm not sure I understand it fully. I guess the difference between a vwire and a layer 2 interface is that a vwire can allow multiple VLANs through, just like a physical cable? That would be attractive on the trusted side of the SW since the SW uses subinterfaces to carry all the internal VLAN traffic.
But I think I may still want the PA on the untrusted side of the SW, to protect the SW itself. I suppose I could have two vwires, right?
Back to my original proposal, if I use a pair of Layer 2 interfaces to link the SW to the WAN, I also don't have to worry about changing IP addresses, right?
Thank you, I've done some testing and it looks like it will probably work. The only hitch is I am running an active/passive HA pair, so in order to connect the vwire to my router, I am actually connecting interface 11 from each of the PAs into the switch.
Then for testing, I'm using a laptop, so to connect it to the HA pair I created VLAN 40 on the switch and connected interface 12 from each of the PAs, plus the laptop, into that VLAN.
(Interface 11 and 12 on PA are the vwire interfaces.)
The switch doesn't seem to like this--the switchport that the active PA is connected to always goes into BLOCKED state. That VLAN has spanning tree turned on; maybe I should try turning it off. I'm not sure it will matter in the actual deployment. For now, if I remove all the links to VLAN 40 and just connect the laptop directly into interface 12 of the active PA, I can reach the internet and I can monitor the traffic in the PA.
EDIT: The issue turned out to be that the switch is set up with "spanning tree single" (Brocade/Foundry). Once I turned off spanning tree in VLAN 40 it was no longer part of the switch-wide spanning tree, so it allowed me to bridge VLAN 40 to the other VLAN on the switch.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!