04-03-2022 05:57 PM
We have a HA fw 3220 in our environment and our partner want to access some of our resources. They propose a PA-440 fw + small 12-port-Cisco 3560 in between the two sites by dark fiber.
Just wonder if you can setup FWs back to back instead of having a switch in between ie a extra point of failure?
is the Gateway going to be the switch or the FW440 behind it?
Any suggestion are much appreciated.
04-10-2022 07:54 PM
You can control the access in your end Firewall 3220.
Your partner network have dedicated fiber line till your network right. Then just create a VLAN in PA3220 assign it to security zone for ACL rule creation and extend it to your partner network switch.
04-05-2022 01:08 PM
I do not believe any of the PA4xx series including SFP ports, to connect up to fiber. A media converter would work in lieu of a switch, but it is still a Single Point of Failure....
Why not configure the FW to setup a site to site VPN to more securely connect.
Why not configure Global Protect and control where the users are allowed to client vpn into?
Why not configure clientless VPN and let the outside team use the FW to proxy internally inside of your network.
Lots o' questions.
04-06-2022 05:30 PM
04-07-2022 09:59 AM
I prefer to put the layer 3 VLAN interface as a VLAN interface on the PAN. This way you have more granular control of the traffic using security policies and have the traffic inspected.
04-08-2022 11:18 PM
This is a simple and doesn't required to add PA 440+ Just 12port switch is enough.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!