This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Network Segmentation

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Network Segmentation

JeromeC
L1 Bithead

‎08-02-2022 11:48 PM

Hi,

 

I'm working to redifine the global architecture. Currently, we have a cluster of 2 Watchguard but we will migrate to Palo Alto (PA-850). Currently, all vlan are configured on Watchguard but I'm not sure that is the best approach. On my LAB, based on GNS3 emulator, I configured a Palo Alto connected to our core switch (Cisco C3850-12s). At short time, the PA-850 will have only 1Gb interface (no 10gb). On my lab, I simulate this network segmentation :

 

- Eth1/1 (Untrust zone) to connect our Internet access

- Eth1/3 (Trust zone) for all vlan configured on core switches (user vlan, toip vlan, printers vlan, visioconferencing vlan...)

- Eth1/4 with several subinterfaces :

        1/4.2 : Network for network admin interfaces (Net_Admin zone)

         1/4.10 : Network for DSI server including SI application (Confluence, Jira,..) and IT infrastructure such as AD, SCCM, antivirus console,.. (DSI_Infra zone)

         1/4.20 : Network used to connected for DSI admin users laptop's (Dsi_Users zone )

         1/4.32 : Network for Wifi Guest (Guest zone)

         1/4.60 : Network for projects/dev servers without security constraint (Mutproj zone)

          1/4.96, 1/4.97,... : Network used for project with security aspects (Secure zone)

 

I need to work on the best segmentation for our network where standard user have no full access on all servers or zone but easly to administrate. What is your opinion about this segmentation ? And regarding performance, is there a risk of issue because lot of trafic will pass through PA-850 (users in trust zone to servers in DSI_Server zone, server in mutproj to dsi_server zone to communicate with AD, sccm..) ? At short time, I'm not able to use 10gb interface so I plan to create an aggregate of Eth1/4 and Eth1/5 to improve bandwidth and performance (I can't emulate it on my lab based on gns3)

 

What is your opinion ? And if you have a better approach, don't hesitate to share it..

 

BR



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
Preview file
220 KB
0 Likes Likes
0 REPLIES 0
  • 1498 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks