Hello,
I just recently purchased a pair of PA-3020’s and I am having some trouble with Layer 2 / Virtual Wire interfaces. I am trying to create a network with multiple segments for both servers and workstations. I will have several “standard” segments using layer 3 interfaces and virtual routers with private addressing and NAT but I also wanted to create an “Edge” network behind the firewall for our publically addressable servers. This edge network would ideally allow devices plugged into it to use the same public IP space that the external layer 3 interfaces on the firewall use. Other devices not behind the firewall would also be able to use this IP space.
Here is a hasty Visio drawing of what I am trying to accomplish. The top drawing shows the logical network and the bottom drawing roughly shows how the wires are physically connected.
I am very new with Palo Alto firewalls and so I am looking for some help. First, is something like this even possible? With a virtual wire or a layer 2 interface it seems like it should be very possible but when I have tried those it has led to serious problems. With both configurations I would see a momentary drop in all network traffic on the public IP space, even for other devices, for about 10 seconds and then things would start working again however the firewall would start to see all kinds of traffic that is not destined to it or anything plugged into it but instead is destined for a different device on the public network.
The drop in network traffic affecting devices external to the Palo Alto makes me think that some kind of loop is being created which causes the network to fail until Spanning Tree kicks in and fixes it, but I am not sure about that. Everything runs through a single switch stack using different untagged access VLANs (see drawing) so it should not be creating a loop. I will eventually use HA on the PA-3020s but at the moment are just working with one so should be no loop there either.
Anyone have any ideas?
Thanks you.
