About peterpan13888

Hi all, We are working on moving some of our servers to AWS and they require 2 VPN redundant tunnels to be configured with our network. Amazon suggested to terminate the VPN on Internet edge router because the VPN redundancy requires BGP. Between the Internet edge router and the Palo Alto firewall, it is unprotected (but it will be on our physical premises). I have suggested to project team to terminate the VPN on Palo Alto instead. However, in this case, the PA3020 has to run BGP which is supported. My questions are: - whether running BGP will have a significant impact on performance? - As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?   Do you have any best practice and recommendations for this VPN connectivity? Thanks!  FYI: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html vs. NIST 800-77 (http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf) a standard for all US federal agencies to follow: 3 - Traffic Not Protected by IPsec. Organizations should consider carefully the threats against network traffic after it has been processed by the receiving IPsec gateway and sent without IPsec protection across additional network segments. For example, an organization that wants to place its VPN gateway outside its Internet firewalls should ensure that the traffic passing between the IPsec gateway and the Internet firewalls has sufficient protection against breaches of confidentiality and integrity. ... View more

Hi all, We are in the process of re-designing our network topology and I have a question regarding the placement of our Internet firewall: - place the PA firewall directly on the Internet (with default gateway pointing directly to the ISP's gateway) - place the PA (using private address) behind an Internet edge router owned by us which is pointing to the ISP Internet gateway? Which is the best practice (I presume the latter but want to confirm)? Any comments are welcome ... View more

Hi all, I am trying to connect using Cisco Anyconnect VPN client on my iPAD to Palo Alto Global Protect VPN Gateway with different configurations without success. Do you have any suggestions whether they can inter-operate? If yes, what settings on both ends are required? By the way, I am using AD password and not certificate for user authentication. Thanks in helping!! ... View more

Hi all, I wonder whether anyone has successfully configured site-to-site IPSec VPN tunnel with CalAmp LTE Fusion device (a cellular mobile router). Somehow I cannot establish the vpn tunnel under different configurations and I know it is running opensource strongswan. Interestingly, CalAmp has an older model Vanguard 3000 for 3G and the vpn tunnel works fine. Any advice will be invaluable. Thanks!! ... View more

Recently we are planning to roll out potentially hundreds of IPSEC VPN tunnels at our customer locations to access our own remote devices securely over the Internet. However, we don't have good control of physical access to these remote VPN devices managed by us and I don't want unauthorized access to our trusted network (in separate security zone) through these remote devices.  The good news is that we will always initiate connections and the TCP/UDP port is always fixed.  I tried to add a firewall rule that ended up terminating the VPN tunnel. I am also aware the IPSEC proxy tab allows me to set the protocol and ports on both ends but not sure this works. Any suggestions how to lock it down based on these two requirements? Thanks! Peter Man   ... View more

Hi all, We have an internal firewall that does not have no Internet access. I wonder what is the best way and best practice in updating the IPS / AV signature (no URL filtering). Any recommendation? Thanks ... View more

Hi all, We have recently migrated from Juniper to Palo Alto firewall and there are numerous firewall rules that are obsolete and potentially a security risk to me. I tried to use "highlight unused rules" button but it does not seem consistent to me. Are the highlighted rules unused since the firewalls start running or simply not currently used at the moment now? (There is a big difference between the two). Thanks a lot!! ... View more