What is the best place to deploy the Next-Generation Firewall so that it monitors internal traffic?
A Palo Alto Networks next-generation firewall must capture network traffic sent between endpoints and data center servers.
To monitor internal network traffic, customers may:
Use existing inline Next-Generation Firewalls that monitor internal network traffic as sensors to collect network metadata for Logging Service and Cortex XDR (formerly Magnifier).
Deploy a Next-Generation Firewall in inline L3 mode. This deployment will also offer the added benefit of improved network security because of internal segmentation, threat prevention, and visibility.
Deploy another Next-Generation Firewall inline, in VWire mode. This way the Next-Generation Firewall supports multiple VWire interfaces, so the customer’s network does not need to be re-architected, but it will require downtime.
Deploy another Next-Generation Firewall with multiple interfaces configured in TAP or SPAN ports or Network Packet Brokers to send the traffic to these Next-Generation Firewalls.
Configure new or unused interfaces on a perimeter Next-Generation Firewall to receive collected traffic in TAP mode, if the firewall has extra interfaces and can handle the additional traffic. The customer would use a Network Packet Broker to aggregate the east-west traffic to the perimeter firewall.