- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-16-2018 08:01 AM
Hi Folks,
We currently use our PA 3020 firewalls with Layer 3 interfaces, Internet plugin directly, and doing all the routing for our network. Learned routing from L3 interfaces and manual static route entry. No routing protocols at all. We have old HP switches downstream, all Layer 2 function, and HP servers beyond that.
We are getting ready to have Cisco UCS installed to replace everything, except our PA firewalls.
The question is coming up, "Do you want to move all of the routing into the Cisco equipment?".
I've been reviewing this document and seems that if we were to do that vwire would be the most common option if we were to do that?
I'm not sure if we are ready to overhaul our network, but asking for comments from community to see if there is a best practice approach to our upcoming project?
03-16-2018 08:42 AM - edited 03-16-2018 08:44 AM
Reading this post I thought it was myself asking this same question almost 3 years ago.
Up until recently I have had a similar Infrastrucutre (vWire) between our users and our data center to control internal traffic with security policies. While vWire may be "supported" there are definately alot of caveats and are reasons why we are moving to L3 routed interfaces on the Palo Alto.
Issues with vWire we expereinced:
As of now we are running all of our L3 traffic on PAN-5220 firewalls at the center which allows us to analyze any North-South traffic from any attached subinterface or VLAN, which is working fantasitc Failover via to our passive firewall is working as expected with sub second delay (I lose 1 ping).
If I was you I would anylze how much inter-VLAN routing you really need to do in the UCS and decide if you want to hairpin it off of the Palo Alto or create local routing. My opinion, based on the world as it is now, visitibilty is everything. Just my two cents.
I hope this helps.
-Matt
03-16-2018 08:42 AM - edited 03-16-2018 08:44 AM
Reading this post I thought it was myself asking this same question almost 3 years ago.
Up until recently I have had a similar Infrastrucutre (vWire) between our users and our data center to control internal traffic with security policies. While vWire may be "supported" there are definately alot of caveats and are reasons why we are moving to L3 routed interfaces on the Palo Alto.
Issues with vWire we expereinced:
As of now we are running all of our L3 traffic on PAN-5220 firewalls at the center which allows us to analyze any North-South traffic from any attached subinterface or VLAN, which is working fantasitc Failover via to our passive firewall is working as expected with sub second delay (I lose 1 ping).
If I was you I would anylze how much inter-VLAN routing you really need to do in the UCS and decide if you want to hairpin it off of the Palo Alto or create local routing. My opinion, based on the world as it is now, visitibilty is everything. Just my two cents.
I hope this helps.
-Matt
03-16-2018 09:14 AM
Hello,
I agree with @mlinsemier, visibility is everything. I've heard and used to hear a lot that the firewall should not the center of your network. However with the zero trust model's, this is no longer true(ish). As long as the PAN has the capacity to handle the traffic, then yes it can be the center of your network and you'll have tons of visibility.
Hope that helps.
03-19-2018 06:21 AM
We are trying to get away from the switches doing the routing and put the palo as the core router for the LAN. (not something I would have done 3-4 years ago)
With that in place we will be able to control intra-zone traffic and segregate the lan thus improving security and reducing the ability of an attack to propergate.
Rob
03-19-2018 06:49 AM
I agree with you 100% with what you are thinking down to the fact that I too would have never thought about doing it this way 3-4 years ago.
We are utilizing the Palo Alto in this L3 capacity in our data centers as well as doing routing on a stick in our remote offices on PA-220s (as there isn't a bunch of north-south traffic between VLANs) and it has certainly improved not only our security posture but our visibility as well. We're able to lock down all north-south traffic where necessary.
I will point out that we are not doing any dynamic routing at the core (yet) but will be looking at OSPF here shortly for a few route exchanges with other appliances. I have heard that BGP can be a little fussy and has had some bugs that has caused it to not be as reliable as OSPF, but that's hearsay from a few peers and engineers.
- Matt
03-19-2018 10:02 AM
Thank you folks for all this feedback. Very helpful.
This makes me lean more toward minimal changes to our firewall networking when we install UCS.
Maybe we enable OSPF between our firewalls to communicate routes, but I am not sure even that is necessary since we are so small and just don't have a bunch of routes to manage.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!