Need to decide method of Paloalto firewall deployment L3 or vwire in an existing network infra

Reply
Highlighted
L0 Member

Need to decide method of Paloalto firewall deployment L3 or vwire in an existing network infra

Hi,

 

I have many sites with different network infrastructure in different countries and i would like to deploy Paloalto firewalls below wan link, please help to  to decide method of Paloalto firewall deployment L3 or vwire in an existing network infrastructure 

 

I have been assigned to study the infrastructure and decide L3 or Vwire and to give the justifications on my deciding

 

Thanks.

 

 

 

 

 

 

Highlighted
Cyber Elite

Re: Need to decide method of Paloalto firewall deployment L3 or vwire in an existing network infra

Hello,

It really depends on the over all architecture and how the current pieces will play what roles or be removed in the future. VWire is good if you want to wait and see what traffic is going through the PAN or if the current network pieces will remain in place and perform the routing. My personal preference is KISS, minimal parts and simple design. So I would say VWire to get the PAN's in and setup your policies. Then move to a layer 3 approach.

 

Here are a few articles that may help out:

 

https://docs.paloaltonetworks.com/best-practices/9-0/data-center-best-practices/data-center-best-pra...

 

https://live.paloaltonetworks.com/t5/Blogs/Getting-Started-Palo-Alto-Networks-Firewall-Series/ba-p/6...

 

Cheers!

Highlighted
Cyber Elite

Re: Need to decide method of Paloalto firewall deployment L3 or vwire in an existing network infra


@Parthipan wrote:

Hi,

 

I have many sites with different network infrastructure in different countries and i would like to deploy Paloalto firewalls below wan link, please help to  to decide method of Paloalto firewall deployment L3 or vwire in an existing network infrastructure 

 

I have been assigned to study the infrastructure and decide L3 or Vwire and to give the justifications on my deciding

 

Thanks.

 

The one thing to consider is requirements and limitation or complications of either deployment.  I know vwire deployments can't do somethings that other deployments can (maybe only a L3 type deployment, but I'm not sure.)  

 

For instance though from this Palo page:

 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/interface-deployments/virtual-w...

"You wouldn’t use a virtual wire deployment for interfaces that need to support switching, VPN tunnels, or routing because they require a Layer 2 or Layer 3 address. "

Highlighted
L1 Bithead

Re: Need to decide method of Paloalto firewall deployment L3 or vwire in an existing network infra

Personally, I suggested to use the L3 instead of the vwire. 

Some reference site : https://www.linkedin.com/pulse/palo-alto-networks-firewall-vwire-mode-alberto-rivai 

vwire is proven to be useful in an environment where you do not want or cannot change any L3 domain.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!