One configuration for multiple sites


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

One configuration for multiple sites

We are trying to deploy the PA 220 at multiple sites.  The firewall will be facing an outside internet connection protecting a production server.  Objective 1 is to create vpn accounts for specified users and machines (using MAC addresses) to control access,   Objective 2 is to block ALL other traffic (incoming/outgoing)   Objective 3 Create a config that can be download to the firewall which will be updated at our home office. 


I have just recieved my PA 220 to begin testing.  Any assistance, advice, references to docs.  etc.  will be appreciated.


Thanks in advance  

Cyber Elite


I would take a look at @reaper's excellent Getting Started guide. Once you have more specific questions it gets a little easier to help you along the way, but you shouldn't run into any issues getting this to function correctly. 


You can look at the actual PAN-OS 8.0 Getting Started documentation as well Admin Guide - Getting Started

Cyber Elite


This is an interesting scenario. I did this with Cisco equipment back in the day and worked out kind of well. Of course I had to preconfigure the equipment inhouse prior to shipping and we had 3g (yes that old) connections with static IP's for easy prebuilt VPN tunnels. While I think most of the config can be a 'template', there are going to be some custom configs for sure.


1. External IP(s), you'll need to know what they are unless you are getting DHCP from the ISP? A layer 3 interface can get its IP by DHCP.

2. Tunnel all traffic back through your data cetners main connections. This way you can NAT the servers there if they need to be access from the public internet.

3. I would create a rule on the 220's that allows the following: VPN conections from your data center IP's only. Also for the purpose of remote configuration, allow admin access to the device from your data center IP's only.

All of this followed by a DENY ALL rule which preceeds the default allow rules that are preconfigured so that your systems are safe.


While some of my suggestions seem a bit old fashion, they do prevent a lot of headaches from the configuration and maintenance side of things.


Just some thoughts.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!