02-09-2017 08:51 PM - edited 02-09-2017 08:55 PM
We are planning to make our Palo Alto (pair) into the main internal router for a decent sized enterprise data center and about 300 users. A pair of Arista routers will be our external WAN/BGP routers.
Is using the PAN as a router considered a best practice? Is it an acceptable practice from a speed/performance perspective? We plan to hairpin a lot of the DC traffic into the PAN in order to segretate the various VLANs. Only iSCSI traffic will stay on the top-of-rack switches.
Thoughts?
02-10-2017 06:49 AM
Hi,
Just need to size up the box correctly. How many VLANs are you planning to setup, grown rate. Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns ) . Also, what features are you planning to enable? Are you planning to use threat protection, URL filtering, etc ?
It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup. That will help.. Also, check out how to monitor running resource-monitor https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...
setup netflow, snmp (not on the PAN side, on the switch side. Since PAN snmp value is not accurate)
Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860
Best of luck,
02-10-2017 02:36 AM
If you can afford large enough appliances for your throughput requirements, get it done! Huge amount of visbility and control is then at your fingertips.
Do check the ARP table limitations of your appliance(s) though, ensure you dont have more hosts than the firewall can handle.
02-10-2017 03:16 AM
We're using our PA-5050 as main router for 30000 users. Nothing but good things to say about it. We also use it as BGP router.
02-10-2017 06:49 AM
Hi,
Just need to size up the box correctly. How many VLANs are you planning to setup, grown rate. Also, expected traffics (Gbit/sec, new session rate, packets rate), type of traffics (http, https, SMB, AD, mysql, oracle, SIP, dns ) . Also, what features are you planning to enable? Are you planning to use threat protection, URL filtering, etc ?
It will be helpful to have some baseline numbers (throughput, type of traffics, new session per second, packet rate) from the current setup. That will help.. Also, check out how to monitor running resource-monitor https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Interpret-show-running-resource-monito...
setup netflow, snmp (not on the PAN side, on the switch side. Since PAN snmp value is not accurate)
Learn how to use ACC https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-FAQ-ACC-PAN-OS-7-0/ta-p/70860
Best of luck,
02-10-2017 08:10 AM
We use a pair of PA-5060 (active / passive) firewalls in layer 3 mode in our datacenter and it's working well for us. As @nextgenhappines said, make sure to size up your box properly.
Benjamin
02-10-2017 11:35 AM
We are looking at getting a pair of the new 5200 series 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
