Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

What is the best place to deploy the Next-Generation Firewall so that it monitors internal traffic?

L4 Transporter

A Palo Alto Networks next-generation firewall must capture network traffic sent between endpoints and data center servers.

To monitor internal network traffic, customers may: 

  • Use existing inline Next-Generation Firewalls that monitor internal network traffic as sensors to collect network metadata for Logging Service and Cortex XDR (formerly Magnifier).
  • Deploy a Next-Generation Firewall in inline L3 mode.  This deployment will also offer the added benefit of improved network security because of internal segmentation, threat prevention, and visibility.
  • Deploy another Next-Generation Firewall inline, in VWire mode.  This way the Next-Generation Firewall supports multiple VWire interfaces, so the customer’s network does not need to be re-architected, but it will require downtime.
  • Deploy another Next-Generation Firewall with multiple interfaces configured in TAP or SPAN ports or Network Packet Brokers to send the traffic to these Next-Generation Firewalls.
  • Configure new or unused interfaces on a perimeter Next-Generation Firewall to receive collected traffic in TAP mode, if the firewall has extra interfaces and can handle the additional traffic. The customer would use a Network Packet Broker to aggregate the east-west traffic to the perimeter firewall.
Who rated this post