I need to setup router from vendor with official ip adress because it cannot use nat. It will support a service from Miele called "Miele Logic".
Without setting this directly on modem wiith swith I want to sett this on interface at PA.
I have not figured out what kind of design is best practis to use?
Solved! Go to Solution.
I'm not sure I follow the issue. But I think you are saying you need the Miele device to be on the public subnet but also behind the Palo Alto firewall.
For this application you could use a v-wire deployment. One side of the v-wire goes to the public untrust connection the other to the Miele device. Since v-wire has no layer 3 profile the device is both on the public subnet and also behind the firewall.
I considered both virtual wire and Layer 2 but this requires two interfaces?
But have not been able to assign this to the Layer 3 untrusted interface.
I have configured a lot of Palo Alto but never with this settings.
The Palo Alto have been replaced from an SonicWALL firewall and this device was configured in transparent mode.
v-wire is separate from any layer 3 usage on the device. So the two interfaces in a v-wire act like an ethernet cable, one side connects to the untrusted device the other the protected device or network switch. Then anything that passes through the v-wire must have a rule.
This pair of interfaces will not participate in any layer 3 configuration on the Palo Alto. This is a "virtual wire" patch cable.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!