01-27-2017 02:57 AM - edited 01-27-2017 02:58 AM
I have deployed Panorama in our LAN and plan to manage a global install. Now I realized that remote firewalls cannot reach it until they have their VPN setup (which I prefer to do using Panorama too).
What is the best practice to solve this? Should Panorama reside in a DMZ and have managed firewalls communicate over the Internet to a public IP?
01-28-2017 11:23 AM
I've not seen a recomendation in the PA documents but I have done this type of management using both methods. Personally I prefer the public address connect method. I like to setup and manage the VPN as you mention but also if there are issues with the VPN then mgmt is still available as long as the internet link itself is up.
You identify the advantages and disadvantages for the main features. If you decide to go with the public address management be sure to setup specific rules that only permit access to the branch devices from the Panorama NAT address. Make sure the surface area opened is the minimum needed.
02-04-2017 01:44 AM
A quick follow up. I decided to leave it in the LAN despite the little downsides. I realized that it could potentially store sensetive data that should not be exposed in a DMZ kind of a network segement. Also, it would make integration with internal DNS, User-ID agents, etc. easier.
Just in case this helps someone...
02-04-2017 04:07 AM
All good reasons for the internal side connections.
You have a good handle on the benefits each way. I'm sure your deployment will go well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
