10-13-2011 08:50 AM
HI.
We have a requirement to manage a number of Palo Alto Firewalls. Some which have overlapping IP Addresses.
Is it possible for Panorama to manage an estate with this configuration almost like an MSSP
Many thanks
Richard
10-14-2011 01:37 AM
Sure
Say we had a customer that made an acquisition and want to bring the new firewall estate under management, but they are also using the same address space, that being 192.168.1.x
So would Panorama be able to differentiate between the 2 separate networks and manage them separately via “Device Groups” in essence Panorama see’s the 2 Firewall estates as different customers with different rules base.
I expect we would need another firewall between Panorama and the 2 networks and mayeb use NAT ?
Does that explain it better
10-15-2011 07:48 PM
I would think that you could do it. The key is that the management IP addresses for the PA devices would have to be accessible to Panorama. I could think of the following scenarios to address it:
1) The management IP addresses for the devices share a common network and that network is accessible to Panorama.
2) The devices all have different external IP addresses and you set up a service route where the Panorama communications uses the external interface.
Another challenge that you would have to deal with is to make sure that all object creation would be specific to each device group. In other words, none of the objects would be shared between the device groups..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
