I currently have a PAN 3220 sitting in serial behind a Cisco ASA. The PAN's doing the higher level inspection, geo, correlation warnings, content filtering. I had written earlier on the forum about wanting to implement layer 3 on new interfaces and it sounds possible. I've added interfaces inside and out and marked them as layer 3 and added them to new zones L3-OUTIDE and L3-INSIDE. I just haven't assigned them to a router nor assigned IP address. At turn up I plan to..
Create a deny any L3-OUTSIDE to any L3-INSIDE rule at the top of the rule set
(Future Allow rules will go above these)
Create a virtual router
Add IPv4 addresses to the interfaces
Assign the interfaces to the virtual router
Add some static routes initially - default external and internal (later perhaps I'll add dynamic)
Once this is in place I can put in a NAT to a test host.
Is there any step I've missed or anything that could interfere with the existing vWire layer 2 traffic flows? Since the traffic is in a different set of zones an not participating in my new virtual router I believe it should not be affected. But figured I'd check the PAN Hive Brain before plowing ahead. Thank you.
Sounds like you have all the bases covered and it won't cause any issues with your existing configuration. The firewall has built-in validation logic that really won't let you mix virtual-wire and layer3, so you really don't have to worry about breaking your existing functionality.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!