Panorama location best practice

cancel
Showing results for 
Search instead for 
Did you mean: 

Panorama location best practice

L1 Bithead

I have deployed Panorama in our LAN and plan to manage a global install. Now I realized that remote firewalls cannot reach it until they have their VPN setup (which I prefer to do using Panorama too).

 

What is the best practice to solve this? Should Panorama reside in a DMZ and have managed firewalls communicate over the Internet to a public IP?

 

4 REPLIES 4

L7 Applicator

I've not seen a recomendation in the PA documents but I have done this type of management using both methods.  Personally I prefer the public address connect method.  I like to setup and manage the VPN as you mention but also if there are issues with the VPN then mgmt is still available as long as the internet link itself is up.

 

You identify the advantages and disadvantages for the main features.  If you decide to go with the public address management be sure to setup specific rules that only permit access to the branch devices from the Panorama NAT address.  Make sure the surface area opened is the minimum needed.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks

L1 Bithead

A quick follow up. I decided to leave it in the LAN despite the little downsides. I realized that it could potentially store sensetive data that should not be exposed in a DMZ kind of a network segement. Also, it would make integration with internal DNS, User-ID agents, etc. easier.

Just in case this helps someone...

All good reasons for the internal side connections.

 

You have a good handle on the benefits each way.  I'm sure your deployment will go well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!