I have a similar config now using Juniper firewall at branch offices. The branch offices only have 2 to 3 users so it doesn't make sense to deploy URL filtering to each location, however, the websense allows me point my branch firewall to the central websense server for URL filtering. The request travels across a dedicated t1 only for authorization, after which the remainder of the web session (if allowed) will go ou the local cable connection. Does the Palo Also have a branch location agent that will accomplish this? I would be willing to ditch my websense if I could get this done.
"2-3 users at branch office location" is the perfect use-case for PAN Global Protect.
There are various options for "network security" at remote office location, but a basic business-DSL mode and basic packet filtering firewall would suffice (the price is right). Once in place, use PAN Global Protect on all client machines -- all traffic will be routed through nearest PAN gateway and subject to all user resolution, security policy, threat, URL fitlering, etc (with added benefit of client interrogation for "HIP profile" that can be used in security policy -- example: if HIP profile doesn't meet criteria X-Y-Z, you can have policy that would not allow machine to access server-subnet/database/etc).
The problem is that all traffic would be routed to the PA. In my situation, I want the policies to apply to traffic that travererses the local internet. So if user at branch site goes to a webpage, I would expect the global connect software to reference the Global gateway for policies, and depending on those policies either allow the traffic to flow out the local internate or not. If I have to force all my traffic back to the Palo Alto, why not just tack up a VPN and force all traffic through it?
This can be a choice, VPN without split tunnel. All traffic from the remote office to the central site for inspection and filtering. You save devices/licenses and add the unique apps control but the required bandwith is double than the stand-alone case.
This is a test I want to do with ASA 5505 <--> PA-2050 controlling if PAN is capable to do routing & inspection in the same interface (ASA can't do)
Another solution could be Firewall as a Service. Virtual Firewall (PA 2000+ can do that) in central site used as branch office firewall, a crypto (IPSEC) or private connection (MPLS / own fiber) is needed.
@zanobis: what do you really mean when you say "routing and inspection in the same interface"? Every firewall is basically a router and I can't imagine a firewall that can inspect without routing the packets...
May you show me a link when Cisco say they can't do inspection and routing on the same interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!