This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Help With Configure PA-220

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help With Configure PA-220

PranamShah
L1 Bithead

‎03-09-2022 12:59 PM

I am trying to build firewall from scratch. Our use case is to secure 3 servers with separate DSP connected to PA-220. We do not have any managed switch or router between ISP to firewall. It is direct from modem to firewall.

 

Can anyone help with this? Palo Alto's documentation isnt helpful as I am not network guru.

0 Likes Likes
6 REPLIES 6

kiwi
Community Team Member

‎03-10-2022 01:12 AM

Hi @PranamShah ,

 

That a broad request.  I'd recommend checking out some of the getting started guides.  You'll find plenty of those on our LIVEcommunity YouTube channel over a variety of different topics.

 

There's also the getting started documentation DOC which provides detailed steps to help you deploy a new Palo Alto Networks next-generation firewall.

 

These should definitely help to get you started.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

PranamShah
L1 Bithead
In response to kiwi

‎03-10-2022 06:19 AM

Thanks Kiwi.

 

Do you know if my use case as below is Valid?

 

  • 3 servers
  • ISP (Modem) to PA-220 directly
  • No router or switch

 

Do I need to have Switch (L3) / Router (L3) between my servers and PA-220 or can I directly plug in Servers to PA-220?

 

0 Likes Likes

Adrian_Jensen
L6 Presenter

‎03-10-2022 08:17 AM

A switch would be L2, not L3. You can connect the servers directly to the PA-220, but you will need to decide if each port will be its own network (L3 routing thru the PaloAlto between servers), or if you will try to bridge all 3 server ports together into a single L2 network. See this for bridging L2 ports:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

0 Likes Likes

PranamShah
L1 Bithead

‎03-10-2022 04:48 PM

Thanks Adrian.

 

L2 switch is an unmanaged switch isn't it? Managed switch would be L3?

 

So basically I can not connect Server/VM Hosts directly to one one of 8 available interfaces on PA-220? Do I have to have a switch? And if yes, will unmanaged switch work or do I have to buy a managed switch?

 

Also for the internet to PA-220, can I connect ISP Modem directly to PA-220 and configure public IP on either management port or one of the interfaces?

 

Something like below is what I want to achieve. Is it viable?

 

palo-alto-flow.png

Sorry to ask some basics but I am a bit new to this.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎03-10-2022 05:02 PM - edited ‎03-10-2022 05:11 PM

Hi @PranamShah ,

 

Yes, it is viable.

 

  1. You can connect the ISP directly to the PA-220.
  2. You can connect your servers directly to the PA-220.
  3. Set the ISP interface to L3 in a L3 untrust zone with the public IP.
  4. Set your server interfaces to L2 in a L2 zone.  Put them in the same VLAN.
  5. Create a L3 VLAN interface tied to the L2 VLAN in a L3 trust zone.
  6. Create default route to ISP.
  7. Create DIPP NAT rule to outside interface IP from trust zone to untrust zone.
  8. Create security policy rule to allow traffic from trust zone to untrust zone.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Adrian_Jensen
L6 Presenter
In response to PranamShah

‎03-11-2022 09:15 AM - edited ‎03-11-2022 09:17 AM

@PranamShah wrote:

L2 switch is an unmanaged switch isn't it? Managed switch would be L3

 No... A switch is always an L2 device, a device that receives packets in one port and sends packets out to other ports based on destination MAC address. It works on layer 2, the packet MAC hardware destination address. (OK... this gets a bit complicated as there are L2/L3+ switches, but for the definition of "switch", it is always a layer 2 device). An unmanaged switch is just that, a collection of ports that just pass packets based on MAC destination. A managed switch allows you to segment the switch into different layer 2 domains (VLANs), acting as multiple switches in one. (ports 1-4 are one VLAN, ports 5-6 are a different VLAN, etc., packets from 1-4 don't pass to ports 5-6).

 

A L3 device works on layer 3 - the IP address. It receives packets on one port (this is typically the gateway IP of the network) and routes them to other ports/networks based on the destination IP address. Hence an L3 device is a router.

 

The PaloAlto ports can be configured as L3 router ports (the default) or as L2 switch ports (done by creating a VLAN to route L3 on and assigning it to multiple ports).

network.png

  • 2679 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks