Well the standard setup
Core 6500 series that connects firewall, IDS sensor, etc...
Palo Alto has different zones for internal for different services and external zones as well.
Palo Alto L3 interfaces and sub-interfaces
New setup Idea nexus 9000 with ACI
Palo Alto no changes
since ACI does not does support SPAN or RSPAN which is use for the IDS sensor.
If PA is in L3 mode then it will see only traffic travelling between networks configured on that FW.
Local traffic within same broadcast domain will never reach FW. You would need SPAN/TAP ports for that.
@AdamCoombsWe have all of the Palo Alto logs syslogging to our SIEM. In our SIEM, we have created rules to fire off an email alert and/or generate an "offense" based on what is in the syslog payload.
Traffic between 2 PCs within same broadcast domain pases only through a pair of layer 2 ports on switch (if we simplify things a bit).
Options to see this traffic are:
- mirror port (which is not an option in your case),
- inline pair of ports for each host on network (which is not realistic),
- some endpoint client on these PCs (with host IPS functionality)
Santonic we already use HIPS on the pc too
Well best idea so far is to create a zone that is for PC so that anything that tries to cross over to any other zones will be caught.
I am still going to look into a IDS system that supports L3 inspection tap
Thank you all for the help with this.
If anyone knows of product or service palo alto offers like this please let me know
You know the source where the scans are coming for? You have designated scanners? Then yeah, put them in seperate network and you will see their traffic and alerts.
I thougth the idea was to monitor your network for users which might be doing some unwanted scans.
So far I never heard about possibility of redirecting mirror traffic to a L3 tap. Nor about such devices.
There is another family of devices tho, called netwrok taps. Basically you put them in your network on interesting traffic paths and mirror that traffic to some device which can analyze the traffic. Either for troubleshooting or security checks.
Basically a TAP is a 3 port device; 2 ports are inline segment where you direct your traffic through. 3rd port is a port where all that traffic from inline ports is mirrored to. That 3rd port can then be connected to a PA TAP port. Of course these network taps are scaled and sized by throughput, number of ports... etc
You are right, idea was to monitor the network for users which be doing some unwanted scans.
So that is why I came up with the idea of different zones with vulnerability profile.
We looking into network taps devices, one is from cisco that works with ACI program that we will be getting.
Thank you Santonic
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!