- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Edge Firewall Design
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Re: Edge Firewall Design
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Edge Firewall Design
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-27-2017 07:56 AM
I am trying to design the edge firewall and core network currently and I have a core Layer not in a "stack" or "VSS" so they are independent Core switches. They are doing the routing to the private WAN, and will be doing the routing to the Edge Firewalls. ECMP requires a dynamic routing protocol which usually you wouldn't run on an edge firewall, you would just have the core set to default static route to the firewall. That being said not having a Stacked Core to operate as one, I would need each core switch connected to each firewall, so the paths are crossed. If I connect one core switch to one firewall and the other switch to the other firewall then a failure of the primary's firewall connected Core will fail the whole firewall pair over when they really didn't need to be. So I am interested in how others are designing their edge firewalls to the Internet?
Thoughts? Ideas? Caveats?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-03-2018 12:11 PM
I do the same with ASA's ;), aovoid them if I can. As for another A/P good thing. I used to upgrade a pair of 2050's years ago and I would VPN in with GP, upgrade the passive, reboot it, fail over, then upgrade and reboot the new passive without getting dropped from GP VPN.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-03-2018 12:14 PM
Yes! Remote access for administration is criticial. I have a back door though on a cable modem connected to a PA500 for my "OOPS" moments.
- How to use Seprate IPs on WAN interface of 2 Paloalto Firewall. in General Topics
- Passing a Circuit Prefix Through Palo Firewall in General Topics
- Global Protect - Flagging security issues with Insurance companies in GlobalProtect Discussions
- design help in General Topics
- Host machine behind Palo Alto VM firewall in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
