Help With Configure PA-220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help With Configure PA-220

L1 Bithead

I am trying to build firewall from scratch. Our use case is to secure 3 servers with separate DSP connected to PA-220. We do not have any managed switch or router between ISP to firewall. It is direct from modem to firewall.

 

Can anyone help with this? Palo Alto's documentation isnt helpful as I am not network guru.

6 REPLIES 6

Community Team Member

Hi @PranamShah ,

 

That a broad request.  I'd recommend checking out some of the getting started guides.  You'll find plenty of those on our LIVEcommunity YouTube channel over a variety of different topics.

 

There's also the getting started documentation DOC which provides detailed steps to help you deploy a new Palo Alto Networks next-generation firewall.

 

These should definitely help to get you started.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks Kiwi.

 

Do you know if my use case as below is Valid?

 

  • 3 servers
  • ISP (Modem) to PA-220 directly
  • No router or switch

 

Do I need to have Switch (L3) / Router (L3) between my servers and PA-220 or can I directly plug in Servers to PA-220?

 

L6 Presenter

A switch would be L2, not L3. You can connect the servers directly to the PA-220, but you will need to decide if each port will be its own network (L3 routing thru the PaloAlto between servers), or if you will try to bridge all 3 server ports together into a single L2 network. See this for bridging L2 ports:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

L1 Bithead

Thanks Adrian.

 

L2 switch is an unmanaged switch isn't it? Managed switch would be L3?

 

So basically I can not connect Server/VM Hosts directly to one one of 8 available interfaces on PA-220? Do I have to have a switch? And if yes, will unmanaged switch work or do I have to buy a managed switch?

 

Also for the internet to PA-220, can I connect ISP Modem directly to PA-220 and configure public IP on either management port or one of the interfaces?

 

Something like below is what I want to achieve. Is it viable?

 

palo-alto-flow.png

Sorry to ask some basics but I am a bit new to this.

Cyber Elite
Cyber Elite

Hi @PranamShah ,

 

Yes, it is viable.

 

  1. You can connect the ISP directly to the PA-220.
  2. You can connect your servers directly to the PA-220.
  3. Set the ISP interface to L3 in a L3 untrust zone with the public IP.
  4. Set your server interfaces to L2 in a L2 zone.  Put them in the same VLAN.
  5. Create a L3 VLAN interface tied to the L2 VLAN in a L3 trust zone.
  6. Create default route to ISP.
  7. Create DIPP NAT rule to outside interface IP from trust zone to untrust zone.
  8. Create security policy rule to allow traffic from trust zone to untrust zone.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.


@PranamShah wrote:

L2 switch is an unmanaged switch isn't it? Managed switch would be L3

 No... A switch is always an L2 device, a device that receives packets in one port and sends packets out to other ports based on destination MAC address. It works on layer 2, the packet MAC hardware destination address. (OK... this gets a bit complicated as there are L2/L3+ switches, but for the definition of "switch", it is always a layer 2 device). An unmanaged switch is just that, a collection of ports that just pass packets based on MAC destination. A managed switch allows you to segment the switch into different layer 2 domains (VLANs), acting as multiple switches in one. (ports 1-4 are one VLAN, ports 5-6 are a different VLAN, etc., packets from 1-4 don't pass to ports 5-6).

 

A L3 device works on layer 3 - the IP address. It receives packets on one port (this is typically the gateway IP of the network) and routes them to other ports/networks based on the destination IP address. Hence an L3 device is a router.

 

The PaloAlto ports can be configured as L3 router ports (the default) or as L2 switch ports (done by creating a VLAN to route L3 on and assigning it to multiple ports).

network.png

  • 2548 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!