Using Global Protect Internally - Several Questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using Global Protect Internally - Several Questions

L1 Bithead

I am fairly new to the world of Palo Alto, so I apologize if this is answered elsewhere. My team is looking at an implementation scenario, and I have several questions as a result. I figured this community would be the best place to start.

 

We are currently looking to implement Global Protect internally, as a possible replacement for Cisco NAC for our individual system posture checking. We are aware that this isn't true port level security as NAC is, but think it may be a suitable replacement because of the functionality it has. I have recently implemented GP for external connections to our DR site, so I am familiar with the setup in that scenario, and the overall general setup of the solution. Our idea is to filter all traffic through PAs, peforming posture checks on individual systems and allow access once HIP match passes.

We are looking to set up a POC of this, using one floor on one wing of our building, consisting of about 200 users. Some of our questions center around how best to accommodate wireless traffic. This is internal traffic, not guest, our own users on wifi. We are a Cisco wireless customer, using Cisco WLCs for our clients. Would it be best to route traffic from the WLCs to the PAs to authenticate users, perform HIP check, and pass traffic? Is this where Captive Portal might come into play?

 

Additional questions revolve around what type of access individual systems will have, and how best to control traffic. The way I am understanding it, all systems would have access to each other until the posture check is done. That is, they will connect to an open VLAN, communicate to the primary PA GP Gateway, and then be passed on once the posture check is done.

 

Lastly, we are wondering about what type of performance we can expect. I haven't been able to find reliable figures as to what we might be looking at. We have about 1450 users, and will possibly be growing to about 2000 in the next couple years. We have all features (App-ID, URL Filtering, Wildfire, etc.) turned on. We currently have a number of 3050s in place and are curious if these can be used, or if we should be eyeing the larger 5000 series.

 

I know this is just a basic rundown, but if anyone can provide additional information or highlights from their experience implementing a similar scenario, I would greatly appreciate it. Even if it is pointing to specific documentation or posts. If I need to detail anything further, please let me know.

1 REPLY 1

Cyber Elite
Cyber Elite

Hello,

That is an interesting solution to the NAC issue most of us are going to run into. I have heard of internal VPN being used to encrypt data in flight, but not as a NAC solution. I would also be interested in eharing your results and gotchas that you run into.

 

As for the capacity, you may want to check the specs on the different models to see how many tunnels they can handel. Also look at the large scale deployment model.

https://live.paloaltonetworks.com/t5/Documentation-Articles/Large-Scale-VPN-LSVPN-Deployment-Guide/t...

 

Regards,

  • 1766 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!