Palo FW setup site to site

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo FW setup site to site

L1 Bithead

Hi All,

We have a HA fw 3220 in our environment and our partner want to access some of our resources. They propose a PA-440 fw +  small 12-port-Cisco 3560 in between the two sites by dark fiber.

Just wonder if you can setup FWs back to back instead of having a switch in between ie a extra point of failure?

is the Gateway going to be the switch or the FW440 behind it?

Any suggestion are much appreciated.

Thanks

QL

1 accepted solution

Accepted Solutions

You can control the access in your end Firewall 3220. 

Your partner network have dedicated fiber line till your network right. Then just create a VLAN in PA3220 assign it to security zone for ACL rule creation and extend it to your partner network switch.

Thanks,
Sharthu

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

I do not believe any of the PA4xx series including SFP ports, to connect up to fiber.  A media converter would work in lieu of a switch, but it is still a Single Point of Failure.... 

Why not configure the FW to setup a site to site VPN to more securely connect. 

Why not configure Global Protect and control where the users are allowed to client vpn into?

Why not configure clientless VPN and let the outside team use the FW to proxy internally inside of your network.


Lots o' questions.

Help the community: Like helpful comments and mark solutions

Hi Steve,



Thank you for your advice.

We have already dark-fiber in place and I think it would be more secure/faster than other VPN option.

Thanks again.

Qui




Hello,

I prefer to put the layer 3 VLAN interface as a VLAN interface on the PAN. This way you have more granular control of the traffic using security policies and have the traffic inspected.

 

Regards,

This is a simple and doesn't required to add PA 440+ Just 12port switch is enough. 

Thanks,
Sharthu

HI JANARTHANAN,



Does it mean we need to have ACL on the 12 port switch ?

Because we only want them to access certain resources.

Thanks

Q


You can control the access in your end Firewall 3220. 

Your partner network have dedicated fiber line till your network right. Then just create a VLAN in PA3220 assign it to security zone for ACL rule creation and extend it to your partner network switch.

Thanks,
Sharthu
  • 1 accepted solution
  • 2818 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!