I currently have a PAN 3220 sitting in serial behind a Cisco ASA. The PAN's doing the higher level inspection, geo, correlation warnings, content filtering. I had written earlier on the forum about wanting to implement layer 3 on new interfaces and it sounds possible. I've added interfaces inside and out and marked them as layer 3 and added them to new zones L3-OUTIDE and L3-INSIDE. I just haven't assigned them to a router nor assigned IP address. At turn up I plan to.. Create a deny any L3-OUTSIDE to any L3-INSIDE rule at the top of the rule set (Future Allow rules will go above these) Create a virtual router Add IPv4 addresses to the interfaces Assign the interfaces to the virtual router Add some static routes initially - default external and internal (later perhaps I'll add dynamic) Once this is in place I can put in a NAT to a test host. Is there any step I've missed or anything that could interfere with the existing vWire layer 2 traffic flows? Since the traffic is in a different set of zones an not participating in my new virtual router I believe it should not be affected. But figured I'd check the PAN Hive Brain before plowing ahead. Thank you.
... View more