This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

best design for a small network

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

best design for a small network

Perseus
L1 Bithead

‎08-23-2016 11:47 PM

Good morning, We just got a Palo Alto Firewall for a small testing lab with several virtual servers and clients. The firewall will be then connected between the lab and our ISP gateway. Most of the network traffic will be internal, since the clients will be connecting to the servers with a switch, and the switch will then be connected to the FW. However, we will have a few clients (3 or 4) that will connect directly to the FW, so for the servers will appear they are connecting from outside. Besides the application testing inside the network lab, the most important will be allowing all these clients to get updates from the internet. We don’t have much experience configurating the palo alto FW, but we would like to make sure nothing nasty is coming from outside. Could you please give us some advice about what design could be better for it (Virtual Wire, L3, L2, etc)? Thanks in advance,
1 person had this problem.
0 Likes Likes
4 REPLIES 4

reaper
Cyber Elite
Cyber Elite

‎08-24-2016 12:55 AM

depending on how you want to split up your IP subnet (or not at all) you could go for a full layer3 config and create a DMZ zone, trust zone and untrust zone, each with their own subnet

 

you'd put all your laptops/desktops in the trust zone/subnet, all the servers in the dmz zone/subnet and hook up the ISP to the untrust

 

you'll now be able to create security policies between each zone, tailored to the specific access each zone requires to the destination zone (eg. trust + dmz ssl + web-browsing out for surfing and updates, trust to dmz all sorts of control applications (rdp, http, ssh, db,...) and only the strictly required apps from untrust to dmz (ssl, http,...)

 

 

alternatively if you'd prefer to keep all local hosts in the same IP subnet, you could create an internal layer2 setup with 2 or more interfaces in layer2, with l3 routing enabled. you can then hook up all the laptops/desktop to one interface. all the servers to the other interface, they'll all act as if they're on the same 'switch' but the firewall will be able to inspect traffic between the 2 virtual segments

 

please check out these Getting Started articles for some more info on each deployment:

Getting Started: The Series

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Perseus
L1 Bithead
In response to reaper

‎08-24-2016 03:48 AM

Thank you very much for your prompt answer. I believe there will not be needed to have the hosts in different IP subnets. To be more précised about the layout of the network, we have: ISP – FW – Switch1 – 5 client PCs – Switch2 – NAS, plus another 3 client PCs (simulating remote connections) connected between the FW and the switch2 (i.e. ISP - FW – 3 client PCs – switch2 – NAS). Basically, swtch1 could be directly connected to one FW interface, but the other 3 PCs I am assuming we may have to use separated FW interfaces per each one if there is not other better option. thanks again for your time,
0 Likes Likes

santonic
L6 Presenter
In response to Perseus

‎08-24-2016 04:15 AM

You're mixing L2 and L3.

As far as logical L3 topology I'd suggest seperating NAS from client segment.

 

Put PA in center of your network, make 3 layer 3 interfaces:

- 1 interface for ISP link however it needs to be configured, zone untrust/internet....

- 1 interface for clients, zone trust/lan...

- 1 interface for SAN and other servers, zone server/DMZ...

 

Use both curent switches as L2 access switches; one for clients, one for servers.

 

 

0 Likes Likes

Perseus
L1 Bithead
In response to santonic

‎08-24-2016 11:02 PM

Thanks for your advice. Using virtual wire could simplify things from the perspective of FW configuration, but what you propose makes definetly more sense for a more granular security scheme.

  • 2951 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks