Can Panorama manage Firewalls with Overlapping IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can Panorama manage Firewalls with Overlapping IP

Not applicable

HI.

We have a requirement to manage a number of Palo Alto Firewalls. Some which have overlapping IP Addresses.

Is it possible for Panorama to manage an estate with this configuration almost like an MSSP

Many thanks

Richard

3 REPLIES 3

L6 Presenter

I apologize in advance Richard but coud you please expand on your original question and perhaps elaborate by providing examples?

Regards,

Renato

Sure

Say we had a customer that made an acquisition and want to bring the new firewall estate under management, but they are also using the same address space, that being 192.168.1.x

So would Panorama be able to differentiate between the 2 separate networks and manage them separately via “Device Groups” in essence Panorama see’s the 2 Firewall estates as different customers with different rules base.

I expect we would need another firewall between Panorama and the 2 networks and mayeb use NAT ?

Does that explain it better

I would think that you could do it.  The key is that the management IP addresses for the PA devices would have to be accessible to Panorama.  I could think of the following scenarios to address it:

1)  The management IP addresses for the devices share a common network and that network is accessible to Panorama.

2)  The devices all have different external IP addresses and you set up a service route where the Panorama communications uses the external interface.

Another challenge that you would have to deal with is  to make sure that all object creation would be specific to each device group. In other words, none of the objects would be shared between the device groups..

  • 2416 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!