09-30-2014 04:05 AM
Hi,
i have customer who bought 2 paloalto firewall, with threat prevention and url filtering licences and i want some advice for the placement of paloalto in the architecture to ensure the maximum of security and deploy all necessary fonctionnality
please find in attach the architecture ,
knowing that :
ASA is used for :
- VPN IPSC
- managing internet traffic between dmz and untrust,
PIX:
-VPN ssl
-manage traffic ( vlan, internet)
TMG:
- publication of servers
-user authentication
-url filtering
-access control( https, http, ftp, smtp)
we can remove some equipement (like asa and tmg) 
and replace it by paloalto , could you please offer me some scenario
Best regards,
Sarah
09-30-2014 04:48 AM
hi.
You can replace the TMG and ASA with the PA. Also it depents what you like to prevent or use with the PA?
Also you can (you should) configure the PA in L3. In L3 you route each traffic to the PA (and use the PA as a Router as well). I would place it next to the internet (instead of the ASA)...
09-30-2014 06:42 AM
This is going to be a terribly simplistic reply - mainly because your question could be done so many ways - but I'd collapse edge security in the PAs (including URL filtering and inter-domain communication) and then collapse your VPN functionality into the ASA. ASA's untrusted says external with it's trusted interface passing through the PAs.
09-30-2014 07:00 AM
we cant' because , if the the pa will placed in the edge , he will not recognise users
09-30-2014 07:03 AM
Hi Atelcom,
PANW is capable of following functions. So I would suggest you to replace it with ASA and PIX
- managing internet traffic between dmz and untrust,
-VPN ssl
-manage traffic ( vlan, internet)
-url filtering
-access control( https, http, ftp, smtp)
Now it can not perform following functions, you can configure authentication profiles for the same.
- publication of servers
-user authentication
Let me know your concerns in detail.
Regards,
Hardik Shah
09-30-2014 07:08 AM
so even tmg will be removed ??
09-30-2014 07:12 AM
Hi Atelcomm,
User authentication is done by LDAP or Radius normally. So for that you dont need TMG.
I am not familiar with server publications.
Lets say if you replace ASA/PIX with PANW than for what additional purpose you might need TMG.
Regards,
Hardik Shah
09-30-2014 07:20 AM
yes i indertstand , and i don't thin that is a big deal cause we need athentication just for url filtering and for identify users,
so we can do that in PA with user id agent ,
but all this we be so complicated for the migrantion of the old infrascture to the new one , so we need a backup plan to minimize the downtime
Regards,
Sarah
09-30-2014 07:31 AM
Hi Sarah,
I would suggest putting the device in Vwire mode 1st. This will just be bump-in-the-wire deployment, where no L3 needs to be changed. In this scenario, you can utilize threat prevention, url filtering, user id capability, captive portal. This should not include any downtime.
Once this is done and you have all visibility to your network and traffic, you can start building configuration on the device to mimic that of ASA or tmg. You can configure IPSec, routing, L3 (You are just configuring the device at this point, where as traffic is flowing normal). Once you verify, everything is configured the way you wanted, you can migrate from other device to PA (this will involve certain downtime but will be minimal). Hope this helps. Thank you.
09-30-2014 08:30 AM
Thank's for your return, could you please tell me were i should place it in vwire ,
cause if we place it before asa , it can't idnetify users passing through TMG
regards,
Sarah
09-30-2014 09:40 AM
Hi Sarah,
I would put PA device in between LAN and Cisco switch. This would be least intrusive and yet give you full visibility. You can apply user id, captive portal, url filtering. Once configured for L3, you can replace it with ASA for IPsec, ssl vpn, routing etc. Thank you.
09-30-2014 10:16 AM
Hi Atelcom,
If you put firewall TAP Mode than definitely you can see the traffic. After that you will configure firewall in L3 mode for various services.
Why to take one extra step of TAP mode. I would suggest to migrate one by one all services to PANW firewall. Basically skip TAP and go for direct implementation.
Regards,
Hardik Shah
10-06-2014 02:26 AM
Hi thanks to all for your help, i have some update for this case
Now the customer want to add a stonsoft to load balance ISP and want to manage the internet traffic by paloalto
the pix and ASA handle the vpn connection and tmg for publication
were do you think we should place the PA
Best regards,
Sarah
10-06-2014 03:01 AM
If you like you can firewall the ASA Clients and TMG publication with vwire
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
