11-08-2011 05:21 AM
I am currently running a PA-500 in IPS mode and is setup as a VWire behind my ASA. I have an environment that consist of a Cisco wireless controller and APs. How do I monitor my wireless traffic or better yet how do i setup policies for this?
By the way I had a conversation with support this morning and it went no where.
11-08-2011 02:43 PM
My question has not been answered yet
11-08-2011 02:55 PM
P,
I think part of what you are asking is really a professional services design question as opposed to a configuration issue.
As far as monitoring your wireless traffic, unless the traffic crosses the wire and passes through either a switch or the PA-500 it won't see the traffic - so any wireless to wireless traffic will not be seen unless you are able to span that traffic out to the PA-500.
Hope that is of some help
James
11-08-2011 02:56 PM
Your question is rather broad. Could you give us some more specifics about your implementation?
Are you going to allow all traffic bidirectionally? If not what applications will you allow and in which direction?
Do you need to identify users and map them to IP addresses?
I assume you will be implementing security profiles to block viruses, malware, spyware and attempts to exploit vulnerabilities. Please confirm if you plan to do this?
Do you plan to implement file blocking?
Will you implement data filtering?
Are you going to implement URL filtering? (requires a license)
thanks,
Benjamin
11-08-2011 03:00 PM
What I would like to do is create a vwire for the traffic from the controller to the core switch. My problem is that, in doing so traffic is block without any policie setting. How can I set this up?
11-08-2011 03:02 PM
The anwser to your questions are yes and yes. I would like to setup a vwire or layer 3 interface (if needed) to map ip to users..ect...
11-08-2011 03:06 PM
Could you please post a screengrab of your security policies?
Once I see that I can give you some specific guidance on most of the questions that you have.
Thanks,
Benjamin
11-08-2011 03:10 PM
P-
Here is a link to an older configuration document on how to set up a Virtual Wire evaluation
https://live.paloaltonetworks.com/docs/DOC-1165
The core concepts have not changed.
You will need a set of policies to pass traffic between the interfaces - the simplest are
1. Zone 1 to Zone 2 allow any address to any application and services
2. Zone 2 to Zone 1 allow any address to any application and services
You can add complexity with more rules as you go.
Hope that helps
James
11-08-2011 03:11 PM
Screenshot:
1. setup vwire on ethernet0/5 and ethernet0/6 with (both) trusted interface
2. no policies where applied to either interface
3. from the lan I could not browse to controller nor see broadcast SSIDs
11-08-2011 03:23 PM
P -
You will still need to configure a trust to trust rule. Traffic passing between interfaces on a Palo Alto Firewall still needs to have zone relative rules to allow the traffic to pass.
Since you do not have a security policy from trust to trust, no traffic is passing.
James
11-09-2011 07:57 AM
Will let you know the outcome of this soon, thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
