10-23-2023 11:48 PM - edited 10-23-2023 11:52 PM
Hello,
I am new to Palo Alto. I have basic question.
Traditional setup I worked on my last project was as below,
VRF on cisco router for
- Internet -0 bgp
- Production - bgp
- DMZ - bgp
FW connects to all 3 VRF. Route between VRF is via FW. FW harden the access.
New project with PA and L2 switch for the same setup.
My idea is
create 3 x Virtual routers on FW ( Internet, Prod, DMZ)
and one policy for all of it.
However, what is the best way to route the traffic between VR with all the policy applied?
10-24-2023 06:04 PM - edited 10-24-2023 06:10 PM
Hi @gondolf ,
The cyber policy requires 3 VRs on the NGFW or just the router? They are fine on the router. They are generally not needed on the NGFW. Some cyber security analysts think that separate routing tables provide an extra layer of security. The problem is that in order for it to work you have to route between the VRs, thus breaking the isolation.
Your router is different where an external device routes between VRFs. The NGFW does not require VRs to do so, only 3 separate zones and interfaces. VRs on the NGFW only increases the complexity without increasing the security.
@OtakarKlier is correct. KISS is not only a good design principle, but an architectural guideline for the Internet. https://datatracker.ietf.org/doc/html/rfc3439 There is a link in there that says 80% of outages are caused by people or process errors. Complex designs increase those opportunities.
If you HAVE to do it on the NGFW:
Thanks,
Tom
10-24-2023 01:20 PM
Hello,
Is there a reason you want to use 3 virtual routers? Its the security policies that determine what traffic can go where. The Virtual router is just that, routing. I'm a fan on keeping it simple and having 3 can get complicated, etc.
Regards,
10-24-2023 03:41 PM
It is the cyber policy so I don't have much say in that one. 😞
10-24-2023 06:04 PM - edited 10-24-2023 06:10 PM
Hi @gondolf ,
The cyber policy requires 3 VRs on the NGFW or just the router? They are fine on the router. They are generally not needed on the NGFW. Some cyber security analysts think that separate routing tables provide an extra layer of security. The problem is that in order for it to work you have to route between the VRs, thus breaking the isolation.
Your router is different where an external device routes between VRFs. The NGFW does not require VRs to do so, only 3 separate zones and interfaces. VRs on the NGFW only increases the complexity without increasing the security.
@OtakarKlier is correct. KISS is not only a good design principle, but an architectural guideline for the Internet. https://datatracker.ietf.org/doc/html/rfc3439 There is a link in there that says 80% of outages are caused by people or process errors. Complex designs increase those opportunities.
If you HAVE to do it on the NGFW:
Thanks,
Tom
11-07-2023 06:14 PM
Thank you for the reply. I will put my recommendation to not separate them based on every one's reply. If not then I have solution now. I will find a lab online to do some labs.. do you know what is the best way to lab it.. either azure/aws/gcp with PAYG setup or EVN-NG lab .. need to find out the way to get the PA VM and licences for lab purpose.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
