PaloAlto WAN Interface segmentation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PaloAlto WAN Interface segmentation

L2 Linker

Hello

 

Please help me in this scenario

 

There is the big "Company Site" and the other branches point to this Site, there is an MPLS connection between the branches.

Our need is, the PaloAlto supports segmentation on the WAN part ? can we create a sub-interfaces in the connected interface (MPLS) at the big headquarters, and each sub-interface communicates with a VRF separately.

(NB: Our Client has in WAN side 3 VRF )
Ex:
GAB traffic is coming out of the WAN sub-interface by VRF GAB ...
Traffic production sub-interface WAN by VRF production ...

What I need just a confirmation that on the port Wan PaloAlto supports the segmentation? because in the LAN port I already create sub-interfaces and each sub-interface communicate with his VRF but that on the LAN port, I 'm not sure if the case for the WAN port.

 

VRF WAN.jpg

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

The Palo Alto Networks firewall does not diufferentiate between lan or wan interfaces, only the technology 'mode' it is set to, so it supports layer2, layer3 or vwire (and some others but let's just stick to these)

So your MPLS provider will need to transform the traffic to match one of these technologies (we can't terminate mpls on the firewall)

 

All of these interface types are capable of supporting tagged sub interfaces where you segregate all connected networks using vlan tags

 

so if your WAN provider supports separating each VRF with a unique VLAN tag, you can perfectly create tagged subinterfaces on your 'wan' layer3 interface and even provide each VRF with it's own zone (if so desired) to provide ganular security zones per remote network

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

The Palo Alto Networks firewall does not diufferentiate between lan or wan interfaces, only the technology 'mode' it is set to, so it supports layer2, layer3 or vwire (and some others but let's just stick to these)

So your MPLS provider will need to transform the traffic to match one of these technologies (we can't terminate mpls on the firewall)

 

All of these interface types are capable of supporting tagged sub interfaces where you segregate all connected networks using vlan tags

 

so if your WAN provider supports separating each VRF with a unique VLAN tag, you can perfectly create tagged subinterfaces on your 'wan' layer3 interface and even provide each VRF with it's own zone (if so desired) to provide ganular security zones per remote network

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you very much brother, it was very helpful

  • 1 accepted solution
  • 1953 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!