depending on how you want to split up your IP subnet (or not at all) you could go for a full layer3 config and create a DMZ zone, trust zone and untrust zone, each with their own subnet
you'd put all your laptops/desktops in the trust zone/subnet, all the servers in the dmz zone/subnet and hook up the ISP to the untrust
you'll now be able to create security policies between each zone, tailored to the specific access each zone requires to the destination zone (eg. trust + dmz ssl + web-browsing out for surfing and updates, trust to dmz all sorts of control applications (rdp, http, ssh, db,...) and only the strictly required apps from untrust to dmz (ssl, http,...)
alternatively if you'd prefer to keep all local hosts in the same IP subnet, you could create an internal layer2 setup with 2 or more interfaces in layer2, with l3 routing enabled. you can then hook up all the laptops/desktop to one interface. all the servers to the other interface, they'll all act as if they're on the same 'switch' but the firewall will be able to inspect traffic between the 2 virtual segments
please check out these Getting Started articles for some more info on each deployment:
You're mixing L2 and L3.
As far as logical L3 topology I'd suggest seperating NAS from client segment.
Put PA in center of your network, make 3 layer 3 interfaces:
- 1 interface for ISP link however it needs to be configured, zone untrust/internet....
- 1 interface for clients, zone trust/lan...
- 1 interface for SAN and other servers, zone server/DMZ...
Use both curent switches as L2 access switches; one for clients, one for servers.
Thanks for your advice. Using virtual wire could simplify things from the perspective of FW configuration, but what you propose makes definetly more sense for a more granular security scheme.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!