07-09-2024 09:25 AM
If we deploy a Site-To-Site VPN to one of our remote locations with a Palo Alto NGFW will our main hub firewall control the Threat/URL, etc... and Security/NAT rules for the other Palo Alto?
07-09-2024 12:42 PM
Hi @DuggiFresh ,
Creating a tunnel to a remote site does not give the hub control over the remote site's subscriptions/services as the remote fw will have its own subscriptions/services. You will still need to configure the security policies on the remote site that allow traffic to the hub along with the security profiles you have access to.
07-09-2024 07:13 PM
The answer to your question is ... it depends. @JayGolf is correct in that the answer to this question is generally no. If your goal with this setup is to have the remote site pass everything to your main site and using those subscriptions for all traffic and managing all rules from a single node, you could have the remote site send everything across the tunnel and process everything on the main site. This would have the main site have full control over all traffic, handle any NAT for the remote site, and generally be treated as an extension of the main site.
There's some consequences with this sort of configuration however. The configuration on both sides is slightly more complex to handle everything correctly, it's an abnormal configuration for someone coming into the environment, and you'll have additional latency tunneling all of that traffic back and forth from the main site when accessing resources that don't actually require the use of the tunnel (IE: all normal internet traffic).
That may or may not be a large concern for your environment depending on requirements and the added latency when going across the tunnel for everything.
07-10-2024 08:35 AM
That is what I was wanting to do is to have my remote site pass everything to my main site. These are very small remote sites and our main site is hardly using much resources of the PA it maybe peaks CPU load 10% sometimes but other than that its 2-4% averaging. How easy is passing is it to accomplish passing everything to the main site with a tunnel?
Also, are there better alternatives than a tunnel if we are wanting to direct all traffic to our main site?
07-11-2024 07:48 AM
Hello,
I would recommend the tunnel as it is the most secure option without spending additional money on a point2point circuit. Just route all traffic out of your 'hub' to control the traffic.
This helps greatly in managing and supporting the users when they have issues accessing an internet resource.
Regards,
07-12-2024 09:27 AM
What are some good resources on how to do that? Would I just need to create a static route from the remote site to the IPsec vpn tunnel? I don't want to use those remote sites for managing any of the policies and only use the hub to manage the policies.
07-12-2024 09:30 AM
Hello,
If you only have the one VPN tunnel and way to get to the hub device, then yes a static route would be the easiest.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
