02-27-2013 12:37 PM
Just mainly need direction on where to go with this. We have 2 PA5050's in our environment and no test network for the main network. We do however have a new test satellite network where some of our DB's and others want it to have access to live environment servers. My idea is to use the 5050's to keep the devices on the test network talking to only the devices they NEED to talk to in the live network. In our current 5050 setup every interface is layer 3. My thought is to trunk this test vlan to the 5050's to a layer 2 subinterface on vlan 61 and with a new sat-test zone and then create rules for allowing only traffic between that vlan and the actual devices on the live network it needs. does this sound like the way to go? Am I way off or overly complicating this? Any advice is appreciated.
02-27-2013 02:24 PM
Your way would work, but I always try to avoid layer-2 VLAN's on firewalls because I don't want to add the complexity of spanning-tree to the situation.
Personally, I'd put your "satellite" network into a separate DMZ zone on a layer 3 interface, and just apply appropriate routing. Then, applying security policy is dead easy - source zone satellite, destination zone main, destination host ZZZ, allowed apps XXX & YYY.
I use that method for a couple of client networks which connect via my PA's - have them in a separate layer-3 DMZ interface, route the appropriate subnets to the interface, then just apply security policy to the entire zone.
Of course, this assumes you have spare ports to connect the additional networks to - if you don't, then I'd combine layer 2 VLAN's and layer 3 to get the same effect (trunk into the device, but put the VLAN into a layer-3 zone to do the security policy on).
02-27-2013 02:32 PM
First issue I see is that you already identified that all your interfaces are in layer 3 which means you wouldn't be able to create a layer 2 sub-interface. I'm guessing that there's an error in the wording there?
If you have a spare interface, putting the test network on a L3 interface into a a separate security zone and controlling the traffic too and from that is certainly the way I would do it. If you don't have a spare interface on the devices to handle the additional test network then putting into a separate VLAN on a layer 3 sub-interface and then putting the sub-interface into it's own security zone is the next best step. If you do intend to do a layer 2 sub-interface you could do the same as L3 with the zone and policy but it would require you to put it into a VLAN object (you could have the L2 sub-interface into it's own VLAN object) and then assign a VLAN interface to it and then add it into the virtual router so that it could access your L3 network.
If you REALLY want to separate the traffic then you could put an interface into a separate VSYS however that would probably be overcomplicating it!
02-28-2013 06:53 AM
added a visio of the topology so you can see better what I was describing. Just want to be absolutely sure you think layer 3 is still the best way.
02-28-2013 02:28 PM
OK, based on your Visio, I'd do the following.
1) Trunk VLAN 61 and VLAN 1 (you should *not* be using VLAN 1 for traffic on a Cisco network, BTW - it's bad practise since VLAN 1 is the default "untagged" VLAN in most installations) to the Palo Alto's over your existing links - you're probably going to have to reconfigure to make the physical interface a layer 2 interface rather than a layer 3, and move your layer 3 configuration/zone into a VLAN interface rather than a layer 3 type interface.
2) Add an interface for the VLAN 61 into your PAN device - make it the default gateway for the entire 18.104.22.168 subnet, and route *all* traffic across the trunk into the Palo Alto device.
3) Configure firewall zones/rules as appropriate to allow the access you want.
Alternately, if you have a spare interface and if it's physically viable (I.E. you can cable the switch to suit), then plug the Adtran switch (22.214.171.124) network directly into a spare interface on the Palo Alto and remove the link to the 10.10.10.10 switch, then do the layer 3 configuration on the new physical interface, and likewise configure zones/rules as appropriate.
I've attached a modified version of your Visio which indicates what I mean - the green lines indicate the first suggestion, the red the second.
11-27-2017 01:13 PM
I am looking for a base 5050 configuration to help speed up the process of getting the firewall up. Does anyone have a config file they could share?
I'd be very cautious with using another person's / company's "base" config. You could be importing a config you didn't know about having unintended (unknown) consequences. Also if you "build" that base stuff yourself you're more apt to be capable to troubleshoot things quicker.
IMO...the base stuff you wouldn't be able to import anyway...
Are all going to be unique to every company. The "basic" config palo already has built for you in the pre-defined security profiles and security rules, but you'll need to build to suit your own use case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!