This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DMZ network redesign

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DMZ network redesign

michelle79
L1 Bithead

‎07-01-2018 11:44 PM

Hi all, I'm hoping someone can help me avoid a huge overhaul and outage window of our DMZ network...

 

Our DMZ gateway is currently a Palo interface with GlobalProtect enabled on it. Servers on the DMZ are at a remote site connected via a Layer 2 spanned VLAN. We intend to decommission this L2 link and move to a L3 VPN service. We have an entire public class C IP range to play with but I am a little stuck as to how to manage this transition as smoothly as possibly.

 

Am I able to simply advertise a /32 route to the DMZ gateway address for GlobalProtect VPN traffic and another static route to forward the /24 range to a dummy subnet that directs any remaining DMZ traffic over the L3 service? If I could get away with this then I guess I will need to assign an IP in the DMZ range to the router servicing the DMZ servers and modify gateway IPs on all DMZ servers to point to the new IP assignment but is there anything fundamental I haven't considered or may have overlooked? I'm concerned that I will need to start from scratch and split the /24 subnet up which in turn I think will mean many more VLANs and changes on the infrastructure hosting the DMZ servers that I would preferably like to avoid. 

 

Appreciate any advice or wisdom you can offer. TIA

 

dmz.jpg

 

0 Likes Likes
1 REPLY 1

Remo
L7 Applicator

‎07-08-2018 09:47 AM

A little confusing 😛

As I understand the existing vlan is spanned all the way to the paloalto where the L3 interface of that vlan resides? Was your plan to avoid a maintenance window completely?

 

If you now want to move to a L3 vpn service the best way I see to fo this is do this alltogether in one maintanance window to avoid doing changes on all your DMZ servers. But before doing this maintenance windows move the GP service to a loopback interface.

  • 1883 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks