I'm working to redifine the global architecture. Currently, we have a cluster of 2 Watchguard but we will migrate to Palo Alto (PA-850). Currently, all vlan are configured on Watchguard but I'm not sure that is the best approach. On my LAB, based on GNS3 emulator, I configured a Palo Alto connected to our core switch (Cisco C3850-12s). At short time, the PA-850 will have only 1Gb interface (no 10gb). On my lab, I simulate this network segmentation :
- Eth1/1 (Untrust zone) to connect our Internet access
- Eth1/3 (Trust zone) for all vlan configured on core switches (user vlan, toip vlan, printers vlan, visioconferencing vlan...)
- Eth1/4 with several subinterfaces :
1/4.2 : Network for network admin interfaces (Net_Admin zone)
1/4.10 : Network for DSI server including SI application (Confluence, Jira,..) and IT infrastructure such as AD, SCCM, antivirus console,.. (DSI_Infra zone)
1/4.20 : Network used to connected for DSI admin users laptop's (Dsi_Users zone )
1/4.32 : Network for Wifi Guest (Guest zone)
1/4.60 : Network for projects/dev servers without security constraint (Mutproj zone)
1/4.96, 1/4.97,... : Network used for project with security aspects (Secure zone)
I need to work on the best segmentation for our network where standard user have no full access on all servers or zone but easly to administrate. What is your opinion about this segmentation ? And regarding performance, is there a risk of issue because lot of trafic will pass through PA-850 (users in trust zone to servers in DSI_Server zone, server in mutproj to dsi_server zone to communicate with AD, sccm..) ? At short time, I'm not able to use 10gb interface so I plan to create an aggregate of Eth1/4 and Eth1/5 to improve bandwidth and performance (I can't emulate it on my lab based on gns3)
What is your opinion ? And if you have a better approach, don't hesitate to share it..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!