01-25-2021 08:25 PM
Hi Guys,
Just want to seek your inputs about what can be the best integration approach for this scenario.
Currently, the VLAN gateway is in my core switch and I will be introducing PA FW into my network. I want to have control and visibility for my intervlan switching, will the virtual-wire approach be the best for this scenario?
I am a bit not convinced if the virtual wire will be able to solve what I want for the intervlan because my current gateway is in the core switch.
Thanks
01-26-2021 01:50 PM
Hi @Nikko ,
With vwire you can achive your goal for inter-vlan traffic inspection/filtering. IMHO the only advantache of putting the PA in front of the core switch in vwire mode is that you will not have to change the default gateway for all of your vlans. You can event split the VLAN in separate sub-interfaces for the vwire Virtual Wire Subinterfaces (paloaltonetworks.com) - to have better control when building the policy.
BUT... The only problem with this approach would be that inter-vlan traffic will pass twise over your firewall:
- once from host a (in vlan a) to core switch
- second from core switch to dest b (in vlan b)
So you have to take under the consideration when building your policy that you need two rules.
And eventually if the device can handle the performance.
01-26-2021 01:50 PM
If you're going to be using a v-wire configuration you need the traffic to actually cross the v-wire link. To really answer this you'll need to provide a network diagram and some additional information about how your network is actually configured.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
