My current role is as a Network Architect and I am working with our security team to get some Palo Alto firewalls setup to provide GPVPN access and also IPSEC b2b connectivity. Our initial design has a single external public address to host the GPVPN traffic and the IPSEC b2b traffic and works ok. We are currently discussing the option of implementing a 2nd public address so that we can split the GPVPN and IPSEC b2b traffic on to separate interfaces which seems to make sense. We are also hearing from the security department that they would like to see each IPSEC b2b tunnel terminated on an individual public IP address which we are going to discuss. What are your thoughts on this Option 1 - Stay with a single public IP to terminate GPVPN and b2b IPSEC tunnels Option 2- Have a Public IP for GPVPN and a 2nd Public IP's for "ALL" b2b IPSEC tunnels Option 3 - Have a Public IP for GPVPN and multiple Public IP's - 1 for each IPSEC tunnel 20 tunnels - 20 public IP's 50 tunnels - 50 public IP's I am expecting a lot of people to come back with either option 1 or option 2 but I am interested to see if anyone thinks option 3 is a good idea.
... View more
This is purely theoretical and does not represent a real network. You can think of this as on prem or public cloud:- Monolithic This design utilizes 3 physical firewalls that are embedded in a data center fabric • Perimeter • B2B • DC The main focus of my question is on the DC firewall, as you can see segmentation is derived by using traditional zones. There are some people that like this design as its very simple and it has been used for years. Virtualization This design utilizes 3 physical firewalls that are embedded in a data center fabric • Perimeter • B2B • Virtualized (vfw’s) The main focus of my question is on the Virtualized firewall, as you can see segmentation is derived by creating virtualized firewalls that represent the Environment that we are trying to segment. There are some people that like this design as it provides greater audit capabilities on environments like PCI x and y - Can you provide a short paragraph on what your thoughts are – what do you see as the pro’s and con’s to each design. Which one is better for on prem? Which one is better for public cloud? Which one would provide better audit capabilities? Which one would provide better automation / orchestration capabilities? Which one is more agile ?
... View more