This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About JoshVogel0
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JoshVogel0
05-11-2023
3Posts
0Likes
0Solutions
May 11, 2023Last Visited
User
Activity
User
Profile
Latest posts by JoshVogel0
| Subject | Views | Posted |
|---|---|---|
| 1541 | 09-28-2021 08:45 AM | |
| 1723 | 09-16-2021 09:11 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 02-21-2019 08:26 AM |
| Date Last Visited | 05-11-2023 09:01 AM |
| Posts | 3 |
09-28-2021
08:45 AM
Thanks for your input. I had been leaning towards moving the rules but wanted to justify the effort, which you helped to do. Took a few hours, but at least now I know any new remote sites will be simple to bring up in this respect. That's very interesting about Jinja2. I'm reluctant to suggest Panorama anyway since it seems so frequently riddled with CVEs and bugs, and individual management isn't too cumbersome yet. I'll look into Jinja if management ever starts to balloon out of control. We also have SolarWinds NCM which is pulling configs off the firewalls, so I could probably leverage that to push too. I have some experience working with the XML since I used it to copy the policy configs from an existing remote site to a new one.
... View more
09-16-2021
09:11 AM
Hello, We have a pair of 3200s on our main site, and have added an 820 at a remote site to bring up an IPSec tunnel between the two. When I initially set the remote site up, I decided to have all the security policies controlling what access the remote site would have to the main site on the 820 side. I could see arguments for doing it on either end, but I decided on doing this since it's closer to the source and will block denied traffic before it traverses our tunnel (with limited bandwidth) and because I thought it'd make management easier to have a remote site with the few rules it needs and not clutter up the main site with them. The obvious downside being now I had a separate set of rules to maintain (and it looks like we won't be maintaining our Threat Prevention license on the 820...). Now we're adding two more remote sites which will also be set up the same way-- with a site-to-site tunnel back to my 3200s-- which would mean having four sets of security policies to keep up with, so I'm starting to really question this choice. What's best practice (and common practice) in managing the access of remote sites over a tunnel? Should I move the policies to my 3200s and just add the new remote site IPs to these policies as the sites are brought up? Do I keep setting the policies on each remote PAN and push to get Panorama to make maintaining these extra rulesets easier? Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-11-2023
09:01 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks