Please I need your help to prepare a design document for the implementation of a PA-500 for one of our client, following is the existing architecture of the client site:
The customer need is to control the Internet flow so they can do the URL filtering and traffic shippement and also to have visibility into the nature of to flow to internet (youtube, facebook ...) and to control users and have statisctics of their connexions. for the other connexion of 10Mbps used for VPN flow with their client they need just to have visibility into it they don't have to control it so we proposed to them to implement PA-500 in virtualwire for the internet flow and in TAp mode for the other liaison of VPN flow since in my inderstinding they don't need any layer 3 features seeing that the VPN is already established at the level of the ASA Firewall ( please correct me if I am wrong), for the moment our customer is asking about the advantage and disadvantage of the following scenario and a test procedure to mesure the impact of put in the paloalto firewall in place:
Scenario 1: put the PA-500 before the ASA 5520 ( between ASA5520 and the LAN switch) so they can control both links with internet, since both internet links are linked to ASA and it's for ASA to destinguish between trafic to go to internet and the trafic that goes into VPN basing on the source and destination address. I think in these case we will put the PA-500 in the virtual mode and we can control both trafics but in my understinding we will not be able to distinguish between the two flows.
Scenario 2: putting the PA-500 after the ASA 5520 ( between ASA5520 and the ISP routers). so we put PA-500 in a combination of Vw mode and Tap Mode.
Please let me know wish of those scenarios is better and what will be the impact on service during the implementation of each scenario and the impact on the system performance after putting in place the firewall. also i need to have an idea about the latence, and the delay that will be caused in both scenarios and all the possible other KPIs that can help us evaluate the two different scenarios.
Also note that we will need to connect the PA-500 with the Active directory of the customer so we can get informations using LDAP about users in order to control their trafic. and for the VPN liaison is there any method to see the amount of throughtput that every VPN tunnel is consuming knowing that every tunnel is defined with an IP address source and destination and if it's possible in wish scenario can we perform it.
Thank you in advance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!