07-31-2023 02:16 PM
I'm looking at deploying some PAN-440 firewalls and wanted to get some advice as this is one of the first remote sites I've done with Palo. My intention was to build an IPSEC bridge between the remote site and our on-prem firewalls in order to pipe all of the remote site's traffic to us. That would allow us to control internet access and use our on-prem subscriptions for cybersecurity as well as enable the remote site to access our wireless controller, VoIP system, etc.
Looking at deployment options, it seems like ZTP might be good for this so I'm reading up on that.
My question: I'm assuming the management that ZTP sets up would NOT go across the IPSEC tunnel and that it would be best practice to leave it that way? Theoretically, if we create firewall policy that only allows the static IPs on each side to communicate with each other then this would allow troubleshooting if the tunnel fails for some reason. I must admit that I'm a little hesitant to create an inbound NAT and security policy pointing to Panorama for security but, again, this could be mitigated by only allowing the remote static IP and it appears to be necessary for ZTP setup.
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
