Virtual Wire - Guide?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Virtual Wire - Guide?

L4 Transporter

We have a PA-500 that's in L3 mode with a simple ethernet1/1 (trust)and ethernet1/2 (untrust) setup.

I want to add a virtual wire to do IPS inspection on traffic to a DMZ network that is currently in front of the PAN, and where it would be a lot of effort to bring it fully behind the PAN.

I've found a guide that's geared towards 3.0 (we're on 3.1.x), is there anything more recent that covers the steps to add a pair of ports into a new virtual wire that can then be connected to the DMZ switch?

In our case our perimeter firewall is controlling the ports that are allowed in and out to this network, and the IP's are public IP's so no NAT is needed etc.  We do use SSL certificates on some of the websites so obviously I'd be interested in decrypting that (we do this already on the L3 side of things).

Any pointers would be great.


Thanks.

1 accepted solution

Accepted Solutions

L3 Networker

The 3.0 guide for Vwire configuration should still be relevant for 3.1.X.

In regards to the SSL decryption.  This will work in Vwire also.  The PAN operates as a proxy for the SSL requests.  the link below explains ssl decryption.  You will need to load the SSL certificate of the web site you are serving behind the PAN.  In the SSL decryption policy you will choose the web sites certificate instead of forward proxy.

https://live.paloaltonetworks.com/docs/DOC-1412

View solution in original post

3 REPLIES 3

L3 Networker

The 3.0 guide for Vwire configuration should still be relevant for 3.1.X.

In regards to the SSL decryption.  This will work in Vwire also.  The PAN operates as a proxy for the SSL requests.  the link below explains ssl decryption.  You will need to load the SSL certificate of the web site you are serving behind the PAN.  In the SSL decryption policy you will choose the web sites certificate instead of forward proxy.

https://live.paloaltonetworks.com/docs/DOC-1412

Thanks, got it all up and working on Friday.

Are there any tips on how to minimise/avoid double counting of traffic?

For example if I have what I do have, which is trust/untrust which are both L3 with untrust being a public IP and doing outbound NAT, when a host on the trusted LAN connects to a host on the vwire, the PAN (the ACC in particular) is logging double traffic as if I filter by destination it's counting it once on Trust -> Untrust and once more on vwire-untrust -> vwire-trusted.

Hello,

the paloalto device will log traffic as long as the traffic matches a policy and that policy is configured to log at session end and/or log as session start. So the only way to avoid the double logging would be to turn off logging at session end and start on the vwire policies.....not sure if you would want to do that though.

Stephen

  • 1 accepted solution
  • 3691 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!