This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies. For details on cookie usage on our site, read our Privacy Policy
I have not had much hands on with Palo Alto in particular Panorama but I would like to ask for some help - We have Panorama at our central Data Center which is used to Configure our remote PA52xx's. If Panorama is used to apply policy to a firewall and there is a need to rollback a recent policy change which of these are possible. 1) Rollback the change via Panorama - This can be done!! I know this at least - 2) Rollback the change via local web access to mgmt port - Is this possible? 3) Rollback the change via local console port - Is this possible? 4) Are there any other ways to rollback the change? If you are able to answer 2,3 or 4 can you provide a brief summary of the process to rollback please. Also - Whilst working with Juniper equipment there is a "Commit Confirmed" command which allows you to commit a config which will automatically roll back after 10 minutes if no action is taken. This helps if your change cuts you off from the remote site. Is there a Palo Alto equivalent command available for v8 , v9 Thanks Mark
... View more
My current role is as a Network Architect and I am working with our security team to get some Palo Alto firewalls setup to provide GPVPN access and also IPSEC b2b connectivity. Our initial design has a single external public address to host the GPVPN traffic and the IPSEC b2b traffic and works ok. We are currently discussing the option of implementing a 2nd public address so that we can split the GPVPN and IPSEC b2b traffic on to separate interfaces which seems to make sense. We are also hearing from the security department that they would like to see each IPSEC b2b tunnel terminated on an individual public IP address which we are going to discuss. What are your thoughts on this Option 1 - Stay with a single public IP to terminate GPVPN and b2b IPSEC tunnels Option 2- Have a Public IP for GPVPN and a 2nd Public IP's for "ALL" b2b IPSEC tunnels Option 3 - Have a Public IP for GPVPN and multiple Public IP's - 1 for each IPSEC tunnel 20 tunnels - 20 public IP's 50 tunnels - 50 public IP's I am expecting a lot of people to come back with either option 1 or option 2 but I am interested to see if anyone thinks option 3 is a good idea.
... View more
This is purely theoretical and does not represent a real network. You can think of this as on prem or public cloud:- Monolithic This design utilizes 3 physical firewalls that are embedded in a data center fabric • Perimeter • B2B • DC The main focus of my question is on the DC firewall, as you can see segmentation is derived by using traditional zones. There are some people that like this design as its very simple and it has been used for years. Virtualization This design utilizes 3 physical firewalls that are embedded in a data center fabric • Perimeter • B2B • Virtualized (vfw’s) The main focus of my question is on the Virtualized firewall, as you can see segmentation is derived by creating virtualized firewalls that represent the Environment that we are trying to segment. There are some people that like this design as it provides greater audit capabilities on environments like PCI x and y - Can you provide a short paragraph on what your thoughts are – what do you see as the pro’s and con’s to each design. Which one is better for on prem? Which one is better for public cloud? Which one would provide better audit capabilities? Which one would provide better automation / orchestration capabilities? Which one is more agile ?
... View more