Paloalto firewall placement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Paloalto firewall placement

L3 Networker

Hi,

i have customer who bought 2 paloalto firewall, with threat prevention and url filtering licences and i want some advice for the placement of  paloalto in the architecture to ensure the maximum of security and deploy all necessary fonctionnality

please find in attach the architecture ,

knowing that :

ASA is used for :

- VPN IPSC

- managing internet traffic between dmz and untrust,

PIX:

-VPN ssl

-manage traffic ( vlan, internet)

TMG:

- publication of servers

-user authentication

-url filtering

-access control( https, http, ftp, smtp)

we can remove some equipement (like asa and tmg) Capture2.PNG and replace it by paloalto , could you please offer me some scenario

Best regards,

Sarah

Hi
13 REPLIES 13

L4 Transporter

hi.

You can replace the TMG and ASA with the PA. Also it depents what you like to prevent or use with the PA?

Also you can (you should) configure the PA in L3.  In L3 you route each traffic to the PA (and use the PA as a Router as well). I would place it next to the internet (instead of the ASA)...

L0 Member

This is going to be a terribly simplistic reply - mainly because your question could be done so many ways - but I'd collapse edge security in the PAs (including URL filtering and inter-domain communication) and then collapse your VPN functionality into the ASA.  ASA's untrusted says external with it's trusted interface passing through the PAs. 

we cant' because , if the the pa will placed in the edge , he will not recognise users 

L6 Presenter

Hi Atelcom,

PANW is capable of following functions. So I would suggest you to replace it with ASA and PIX

- managing internet traffic between dmz and untrust,

-VPN ssl

-manage traffic ( vlan, internet)

-url filtering

-access control( https, http, ftp, smtp)

Now it can not perform following functions, you can configure authentication profiles for the same.

- publication of servers

-user authentication

Let me know your concerns in detail.

Regards,

Hardik Shah

so even tmg will be removed ??

Hi Atelcomm,

User authentication is  done by LDAP or Radius normally. So for that you dont need TMG.

I am not familiar with server publications.

Lets say if you replace ASA/PIX with PANW than for what additional purpose you  might need TMG.

Regards,

Hardik Shah

yes i indertstand , and i don't thin that is a big deal cause we need athentication just for url filtering and for identify users,

so we can do that in PA with user id agent ,

but all this we be so complicated for the migrantion of the old infrascture to the new one , so we need a backup plan to minimize the downtime

Regards,

Sarah

Hi Sarah,

I would suggest putting the device in Vwire mode 1st. This will just be bump-in-the-wire deployment, where no L3 needs to be changed. In this scenario, you can utilize threat prevention, url filtering, user id capability, captive portal. This should not include any downtime.

Once this is done and you have all visibility to your network and traffic, you can start building configuration on the device to mimic that of ASA or tmg. You can configure IPSec, routing, L3 (You are just configuring the device at this point, where as traffic is flowing normal). Once you verify, everything is configured the way you wanted, you can migrate from other device to PA (this will involve certain downtime but will be minimal). Hope this helps. Thank you.

Thank's for your return, could you please tell me were i should place it in vwire ,

cause if we place it before asa , it can't idnetify users passing through TMG

regards,

Sarah

Hi Sarah,

I would put PA device in between LAN and Cisco switch. This would be least intrusive and yet give you full visibility. You can apply user id, captive portal, url filtering. Once configured for L3, you can replace it with ASA for IPsec, ssl vpn, routing etc. Thank you.

L6 Presenter

Hi Atelcom,

If you put firewall TAP Mode than definitely you can see the traffic. After that you will configure firewall in L3 mode for various services.

Why to take one extra step of TAP mode. I would suggest to migrate one by one all services to PANW firewall. Basically skip TAP and go for direct implementation.

Regards,

Hardik Shah

Hi thanks to all for your help, i have some update for this case

Now the customer want to add a stonsoft to load balance ISP and want to manage the internet traffic by paloalto

the pix and ASA handle the vpn connection and tmg for publication

were do you think we should place the PA

Best regards,

Sarah

HiH

If you like you can firewall the ASA Clients and TMG publication with vwire2014-10-06_12-01-04.jpg

  • 5630 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!