====== Palo Deployment Architecture ====== Configuration strategy: Zones: * Untrust (for Internet links). * VPN (possibly use but only for third party - not VPN to other internal sites). * Trust (all interfaces that don't fit the others). * Guest (for guest networks that break out locally to the Internet and do not access any other site and are not accessible from any other site). Tags: * global-block * inbound * global-allow (e.g. ping). * rest-of-rules, use "Group by" tag. Within a group, use normal 'tag' to describe destination. * For guest, explicily allow allowed traffic then block all from guest zone. * For each "zone" that isn't a zone (e.g. mgmt, printers, wifi, servers, dmz) create an address group that contains all the subnets.). Two zone protection profiles - one for external interfaces and one for all others. Create address group of firewall interface IP addresses to make a simple rule that allows the firewal interfaces to ping/traceroute/icmp anywhere. Enable interface management profile with ping, ssh, https, user-id and snmp on loopback or firewall's interface to mgmt network. Use this for SNMP polling, User-ID redistribution (and use service route to use this to get User-ID from other firewalls) and managing the 'active' firewall. Enable ping, https, ssh and snmp on actually managment interfaces. Use this for backup access/troubleshooting. Consider doing RADIUS/LDAP/TACACS queries from loopback via service route. Would have to use a local account to get access to passive. ====== VLANs ====== 10x Managment Firewall, switch, access point mgmt. VMware mgmt and other 'all IT can access' mgmt. UPS mgmt. Other mgmt functions (e.g. wall board control) 11x Server Windows servers Linux servers Network servers (e.g. Infoblox DNS/DHCP) 12x Voice -- if needed -- 14x NetworkDevices Printers 10x Users Wired Up to 10 Wired VLANs. Can represent different buildings/floors/departments/etc. 10x Users WiFi Up to 10 WiFi VLANs for users. Could represent different SSID/etc. 15x Security CCTV Building Alarm Door Control 16x Guest Guest WLAN Guest Wired 17x Lab Staging Lab Demo environment Internal Lab Training VLANs 18x DMZ Up to 10 DMZ subnets