I just received a PA-500. This is my first PAN device, so some of the terminology is different from prior units. From what I understand, virtual wire mode is the same as transparent mode. Is this correct? In short, I want to place this device before our current FW (between our ISP and a Cisco ASA device) initially just to monitor/capture data as if this device was in production. All of our NAT and service roles will remain on the ASA until testing has been completed. I followed the direction from this KB article (How to Configure Virtual Wire (VWire) ) going through the initial setup and creating alert profiles. Other than physically placing the device between our ASA and ISP device, is there anything else I need to do? I want to start seeing traffic flow, URL filtering, AV and such from the PAN device but without changing our current infrastructure. This is only for the initial test. The device will later be switched into L3 mode and replace our current ASA.
Vwire is very much similar to "Transparent mode" in Cisco, however Vwire doesnt mantain any ARP or MAC table unlike to transparent mode.
Vwire takes packet from one interface and forwards it to second interface. For this forwarding mechanism, it doesnt not check ARP or MAC table.
Your idea of implementation looks good to me. Make sure all provide are in Alert mode, and you are logging all kind of traffic. Which means you should have default "deny any any" rule at the end which does logging.
Will VPN traffic still pass through while the PAN device is in virtual mode? I have both user VPN accounts and multiple site-to-site VPNs configured on our ASA device. Thanks
It does passes IKE/IPsec packets, you dont have to worry about that. You are good to go for VPN traffic.
Let me know if this helps.
PA-500 in place without any hiccups. One problem regarding the data and this may be a training/config issue. When I go to ACC and drill down to Facebook-Base; the source IP is showing our external IP address and not the end user as I expected; or at least their IP address. The Destinations are facebook and akamaitechnologies (188.8.131.52). Did I plug the wrong sources in the ports? E1/1 is Untrusted (ISP) and E1/2 is trust (our current ASA firewall).
Since you are placed on the outside of your current firewall, you will be (are) seeing the traffic after NAT has been performed.
If you want to see the traffic before it becomes NAT-ed, you will have to move the virtual wire inside your current firewall.
Would all of my existing traffic be untouched? VPN, Nat, polices, etc? Logically, it seems right. I am thinking this is necessary as User-ID is not working either (everything is connected).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!